1 /*-
2 * Copyright (c) 2006 Robert N. M. Watson
3 * Copyright (c) 2008-2009 Apple, Inc.
4 * All rights reserved.
5 *
6 * This software was developed by Robert Watson for the TrustedBSD Project.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 */
29
30 #include <sys/cdefs.h>
31 __FBSDID("$FreeBSD: releng/10.4/sys/security/audit/audit_pipe.c 255359 2013-09-07 13:45:44Z davide $");
32
33 #include <sys/param.h>
34 #include <sys/condvar.h>
35 #include <sys/conf.h>
36 #include <sys/eventhandler.h>
37 #include <sys/filio.h>
38 #include <sys/kernel.h>
39 #include <sys/lock.h>
40 #include <sys/malloc.h>
41 #include <sys/mutex.h>
42 #include <sys/poll.h>
43 #include <sys/proc.h>
44 #include <sys/queue.h>
45 #include <sys/rwlock.h>
46 #include <sys/selinfo.h>
47 #include <sys/sigio.h>
48 #include <sys/signal.h>
49 #include <sys/signalvar.h>
50 #include <sys/sx.h>
51 #include <sys/systm.h>
52 #include <sys/uio.h>
53
54 #include <security/audit/audit.h>
55 #include <security/audit/audit_ioctl.h>
56 #include <security/audit/audit_private.h>
57
58 /*
59 * Implementation of a clonable special device providing a live stream of BSM
60 * audit data. Consumers receive a "tee" of the system audit trail by
61 * default, but may also define alternative event selections using ioctls.
62 * This interface provides unreliable but timely access to audit events.
63 * Consumers should be very careful to avoid introducing event cycles.
64 */
65
66 /*
67 * Memory types.
68 */
69 static MALLOC_DEFINE(M_AUDIT_PIPE, "audit_pipe", "Audit pipes");
70 static MALLOC_DEFINE(M_AUDIT_PIPE_ENTRY, "audit_pipeent",
71 "Audit pipe entries and buffers");
72 static MALLOC_DEFINE(M_AUDIT_PIPE_PRESELECT, "audit_pipe_presel",
73 "Audit pipe preselection structure");
74
75 /*
76 * Audit pipe buffer parameters.
77 */
78 #define AUDIT_PIPE_QLIMIT_DEFAULT (128)
79 #define AUDIT_PIPE_QLIMIT_MIN (1)
80 #define AUDIT_PIPE_QLIMIT_MAX (1024)
81
82 /*
83 * Description of an entry in an audit_pipe.
84 */
85 struct audit_pipe_entry {
86 void *ape_record;
87 u_int ape_record_len;
88 TAILQ_ENTRY(audit_pipe_entry) ape_queue;
89 };
90
91 /*
92 * Audit pipes allow processes to express "interest" in the set of records
93 * that are delivered via the pipe. They do this in a similar manner to the
94 * mechanism for audit trail configuration, by expressing two global masks,
95 * and optionally expressing per-auid masks. The following data structure is
96 * the per-auid mask description. The global state is stored in the audit
97 * pipe data structure.
98 *
99 * We may want to consider a more space/time-efficient data structure once
100 * usage patterns for per-auid specifications are clear.
101 */
102 struct audit_pipe_preselect {
103 au_id_t app_auid;
104 au_mask_t app_mask;
105 TAILQ_ENTRY(audit_pipe_preselect) app_list;
106 };
107
108 /*
109 * Description of an individual audit_pipe. Consists largely of a bounded
110 * length queue.
111 */
112 #define AUDIT_PIPE_ASYNC 0x00000001
113 #define AUDIT_PIPE_NBIO 0x00000002
114 struct audit_pipe {
115 int ap_open; /* Device open? */
116 u_int ap_flags;
117
118 struct selinfo ap_selinfo;
119 struct sigio *ap_sigio;
120
121 /*
122 * Per-pipe mutex protecting most fields in this data structure.
123 */
124 struct mtx ap_mtx;
125
126 /*
127 * Per-pipe sleep lock serializing user-generated reads and flushes.
128 * uiomove() is called to copy out the current head record's data
129 * while the record remains in the queue, so we prevent other threads
130 * from removing it using this lock.
131 */
132 struct sx ap_sx;
133
134 /*
135 * Condition variable to signal when data has been delivered to a
136 * pipe.
137 */
138 struct cv ap_cv;
139
140 /*
141 * Various queue-reated variables: qlen and qlimit are a count of
142 * records in the queue; qbyteslen is the number of bytes of data
143 * across all records, and qoffset is the amount read so far of the
144 * first record in the queue. The number of bytes available for
145 * reading in the queue is qbyteslen - qoffset.
146 */
147 u_int ap_qlen;
148 u_int ap_qlimit;
149 u_int ap_qbyteslen;
150 u_int ap_qoffset;
151
152 /*
153 * Per-pipe operation statistics.
154 */
155 u_int64_t ap_inserts; /* Records added. */
156 u_int64_t ap_reads; /* Records read. */
157 u_int64_t ap_drops; /* Records dropped. */
158
159 /*
160 * Fields relating to pipe interest: global masks for unmatched
161 * processes (attributable, non-attributable), and a list of specific
162 * interest specifications by auid.
163 */
164 int ap_preselect_mode;
165 au_mask_t ap_preselect_flags;
166 au_mask_t ap_preselect_naflags;
167 TAILQ_HEAD(, audit_pipe_preselect) ap_preselect_list;
168
169 /*
170 * Current pending record list. Protected by a combination of ap_mtx
171 * and ap_sx. Note particularly that *both* locks are required to
172 * remove a record from the head of the queue, as an in-progress read
173 * may sleep while copying and therefore cannot hold ap_mtx.
174 */
175 TAILQ_HEAD(, audit_pipe_entry) ap_queue;
176
177 /*
178 * Global pipe list.
179 */
180 TAILQ_ENTRY(audit_pipe) ap_list;
181 };
182
183 #define AUDIT_PIPE_LOCK(ap) mtx_lock(&(ap)->ap_mtx)
184 #define AUDIT_PIPE_LOCK_ASSERT(ap) mtx_assert(&(ap)->ap_mtx, MA_OWNED)
185 #define AUDIT_PIPE_LOCK_DESTROY(ap) mtx_destroy(&(ap)->ap_mtx)
186 #define AUDIT_PIPE_LOCK_INIT(ap) mtx_init(&(ap)->ap_mtx, \
187 "audit_pipe_mtx", NULL, MTX_DEF)
188 #define AUDIT_PIPE_UNLOCK(ap) mtx_unlock(&(ap)->ap_mtx)
189 #define AUDIT_PIPE_MTX(ap) (&(ap)->ap_mtx)
190
191 #define AUDIT_PIPE_SX_LOCK_DESTROY(ap) sx_destroy(&(ap)->ap_sx)
192 #define AUDIT_PIPE_SX_LOCK_INIT(ap) sx_init(&(ap)->ap_sx, "audit_pipe_sx")
193 #define AUDIT_PIPE_SX_XLOCK_ASSERT(ap) sx_assert(&(ap)->ap_sx, SA_XLOCKED)
194 #define AUDIT_PIPE_SX_XLOCK_SIG(ap) sx_xlock_sig(&(ap)->ap_sx)
195 #define AUDIT_PIPE_SX_XUNLOCK(ap) sx_xunlock(&(ap)->ap_sx)
196
197 /*
198 * Global list of audit pipes, rwlock to protect it. Individual record
199 * queues on pipes are protected by per-pipe locks; these locks synchronize
200 * between threads walking the list to deliver to individual pipes and add/
201 * remove of pipes, and are mostly acquired for read.
202 */
203 static TAILQ_HEAD(, audit_pipe) audit_pipe_list;
204 static struct rwlock audit_pipe_lock;
205
206 #define AUDIT_PIPE_LIST_LOCK_INIT() rw_init(&audit_pipe_lock, \
207 "audit_pipe_list_lock")
208 #define AUDIT_PIPE_LIST_RLOCK() rw_rlock(&audit_pipe_lock)
209 #define AUDIT_PIPE_LIST_RUNLOCK() rw_runlock(&audit_pipe_lock)
210 #define AUDIT_PIPE_LIST_WLOCK() rw_wlock(&audit_pipe_lock)
211 #define AUDIT_PIPE_LIST_WLOCK_ASSERT() rw_assert(&audit_pipe_lock, \
212 RA_WLOCKED)
213 #define AUDIT_PIPE_LIST_WUNLOCK() rw_wunlock(&audit_pipe_lock)
214
215 /*
216 * Cloning related variables and constants.
217 */
218 #define AUDIT_PIPE_NAME "auditpipe"
219 static eventhandler_tag audit_pipe_eh_tag;
220 static struct clonedevs *audit_pipe_clones;
221
222 /*
223 * Special device methods and definition.
224 */
225 static d_open_t audit_pipe_open;
226 static d_close_t audit_pipe_close;
227 static d_read_t audit_pipe_read;
228 static d_ioctl_t audit_pipe_ioctl;
229 static d_poll_t audit_pipe_poll;
230 static d_kqfilter_t audit_pipe_kqfilter;
231
232 static struct cdevsw audit_pipe_cdevsw = {
233 .d_version = D_VERSION,
234 .d_flags = D_NEEDMINOR,
235 .d_open = audit_pipe_open,
236 .d_close = audit_pipe_close,
237 .d_read = audit_pipe_read,
238 .d_ioctl = audit_pipe_ioctl,
239 .d_poll = audit_pipe_poll,
240 .d_kqfilter = audit_pipe_kqfilter,
241 .d_name = AUDIT_PIPE_NAME,
242 };
243
244 static int audit_pipe_kqread(struct knote *note, long hint);
245 static void audit_pipe_kqdetach(struct knote *note);
246
247 static struct filterops audit_pipe_read_filterops = {
248 .f_isfd = 1,
249 .f_attach = NULL,
250 .f_detach = audit_pipe_kqdetach,
251 .f_event = audit_pipe_kqread,
252 };
253
254 /*
255 * Some global statistics on audit pipes.
256 */
257 static int audit_pipe_count; /* Current number of pipes. */
258 static u_int64_t audit_pipe_ever; /* Pipes ever allocated. */
259 static u_int64_t audit_pipe_records; /* Records seen. */
260 static u_int64_t audit_pipe_drops; /* Global record drop count. */
261
262 /*
263 * Free an audit pipe entry.
264 */
265 static void
266 audit_pipe_entry_free(struct audit_pipe_entry *ape)
267 {
268
269 free(ape->ape_record, M_AUDIT_PIPE_ENTRY);
270 free(ape, M_AUDIT_PIPE_ENTRY);
271 }
272
273 /*
274 * Find an audit pipe preselection specification for an auid, if any.
275 */
276 static struct audit_pipe_preselect *
277 audit_pipe_preselect_find(struct audit_pipe *ap, au_id_t auid)
278 {
279 struct audit_pipe_preselect *app;
280
281 AUDIT_PIPE_LOCK_ASSERT(ap);
282
283 TAILQ_FOREACH(app, &ap->ap_preselect_list, app_list) {
284 if (app->app_auid == auid)
285 return (app);
286 }
287 return (NULL);
288 }
289
290 /*
291 * Query the per-pipe mask for a specific auid.
292 */
293 static int
294 audit_pipe_preselect_get(struct audit_pipe *ap, au_id_t auid,
295 au_mask_t *maskp)
296 {
297 struct audit_pipe_preselect *app;
298 int error;
299
300 AUDIT_PIPE_LOCK(ap);
301 app = audit_pipe_preselect_find(ap, auid);
302 if (app != NULL) {
303 *maskp = app->app_mask;
304 error = 0;
305 } else
306 error = ENOENT;
307 AUDIT_PIPE_UNLOCK(ap);
308 return (error);
309 }
310
311 /*
312 * Set the per-pipe mask for a specific auid. Add a new entry if needed;
313 * otherwise, update the current entry.
314 */
315 static void
316 audit_pipe_preselect_set(struct audit_pipe *ap, au_id_t auid, au_mask_t mask)
317 {
318 struct audit_pipe_preselect *app, *app_new;
319
320 /*
321 * Pessimistically assume that the auid doesn't already have a mask
322 * set, and allocate. We will free it if it is unneeded.
323 */
324 app_new = malloc(sizeof(*app_new), M_AUDIT_PIPE_PRESELECT, M_WAITOK);
325 AUDIT_PIPE_LOCK(ap);
326 app = audit_pipe_preselect_find(ap, auid);
327 if (app == NULL) {
328 app = app_new;
329 app_new = NULL;
330 app->app_auid = auid;
331 TAILQ_INSERT_TAIL(&ap->ap_preselect_list, app, app_list);
332 }
333 app->app_mask = mask;
334 AUDIT_PIPE_UNLOCK(ap);
335 if (app_new != NULL)
336 free(app_new, M_AUDIT_PIPE_PRESELECT);
337 }
338
339 /*
340 * Delete a per-auid mask on an audit pipe.
341 */
342 static int
343 audit_pipe_preselect_delete(struct audit_pipe *ap, au_id_t auid)
344 {
345 struct audit_pipe_preselect *app;
346 int error;
347
348 AUDIT_PIPE_LOCK(ap);
349 app = audit_pipe_preselect_find(ap, auid);
350 if (app != NULL) {
351 TAILQ_REMOVE(&ap->ap_preselect_list, app, app_list);
352 error = 0;
353 } else
354 error = ENOENT;
355 AUDIT_PIPE_UNLOCK(ap);
356 if (app != NULL)
357 free(app, M_AUDIT_PIPE_PRESELECT);
358 return (error);
359 }
360
361 /*
362 * Delete all per-auid masks on an audit pipe.
363 */
364 static void
365 audit_pipe_preselect_flush_locked(struct audit_pipe *ap)
366 {
367 struct audit_pipe_preselect *app;
368
369 AUDIT_PIPE_LOCK_ASSERT(ap);
370
371 while ((app = TAILQ_FIRST(&ap->ap_preselect_list)) != NULL) {
372 TAILQ_REMOVE(&ap->ap_preselect_list, app, app_list);
373 free(app, M_AUDIT_PIPE_PRESELECT);
374 }
375 }
376
377 static void
378 audit_pipe_preselect_flush(struct audit_pipe *ap)
379 {
380
381 AUDIT_PIPE_LOCK(ap);
382 audit_pipe_preselect_flush_locked(ap);
383 AUDIT_PIPE_UNLOCK(ap);
384 }
385
386 /*-
387 * Determine whether a specific audit pipe matches a record with these
388 * properties. Algorithm is as follows:
389 *
390 * - If the pipe is configured to track the default trail configuration, then
391 * use the results of global preselection matching.
392 * - If not, search for a specifically configured auid entry matching the
393 * event. If an entry is found, use that.
394 * - Otherwise, use the default flags or naflags configured for the pipe.
395 */
396 static int
397 audit_pipe_preselect_check(struct audit_pipe *ap, au_id_t auid,
398 au_event_t event, au_class_t class, int sorf, int trail_preselect)
399 {
400 struct audit_pipe_preselect *app;
401
402 AUDIT_PIPE_LOCK_ASSERT(ap);
403
404 switch (ap->ap_preselect_mode) {
405 case AUDITPIPE_PRESELECT_MODE_TRAIL:
406 return (trail_preselect);
407
408 case AUDITPIPE_PRESELECT_MODE_LOCAL:
409 app = audit_pipe_preselect_find(ap, auid);
410 if (app == NULL) {
411 if (auid == AU_DEFAUDITID)
412 return (au_preselect(event, class,
413 &ap->ap_preselect_naflags, sorf));
414 else
415 return (au_preselect(event, class,
416 &ap->ap_preselect_flags, sorf));
417 } else
418 return (au_preselect(event, class, &app->app_mask,
419 sorf));
420
421 default:
422 panic("audit_pipe_preselect_check: mode %d",
423 ap->ap_preselect_mode);
424 }
425
426 return (0);
427 }
428
429 /*
430 * Determine whether there exists a pipe interested in a record with specific
431 * properties.
432 */
433 int
434 audit_pipe_preselect(au_id_t auid, au_event_t event, au_class_t class,
435 int sorf, int trail_preselect)
436 {
437 struct audit_pipe *ap;
438
439 /* Lockless read to avoid acquiring the global lock if not needed. */
440 if (TAILQ_EMPTY(&audit_pipe_list))
441 return (0);
442
443 AUDIT_PIPE_LIST_RLOCK();
444 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) {
445 AUDIT_PIPE_LOCK(ap);
446 if (audit_pipe_preselect_check(ap, auid, event, class, sorf,
447 trail_preselect)) {
448 AUDIT_PIPE_UNLOCK(ap);
449 AUDIT_PIPE_LIST_RUNLOCK();
450 return (1);
451 }
452 AUDIT_PIPE_UNLOCK(ap);
453 }
454 AUDIT_PIPE_LIST_RUNLOCK();
455 return (0);
456 }
457
458 /*
459 * Append individual record to a queue -- allocate queue-local buffer, and
460 * add to the queue. If the queue is full or we can't allocate memory, drop
461 * the newest record.
462 */
463 static void
464 audit_pipe_append(struct audit_pipe *ap, void *record, u_int record_len)
465 {
466 struct audit_pipe_entry *ape;
467
468 AUDIT_PIPE_LOCK_ASSERT(ap);
469
470 if (ap->ap_qlen >= ap->ap_qlimit) {
471 ap->ap_drops++;
472 audit_pipe_drops++;
473 return;
474 }
475
476 ape = malloc(sizeof(*ape), M_AUDIT_PIPE_ENTRY, M_NOWAIT | M_ZERO);
477 if (ape == NULL) {
478 ap->ap_drops++;
479 audit_pipe_drops++;
480 return;
481 }
482
483 ape->ape_record = malloc(record_len, M_AUDIT_PIPE_ENTRY, M_NOWAIT);
484 if (ape->ape_record == NULL) {
485 free(ape, M_AUDIT_PIPE_ENTRY);
486 ap->ap_drops++;
487 audit_pipe_drops++;
488 return;
489 }
490
491 bcopy(record, ape->ape_record, record_len);
492 ape->ape_record_len = record_len;
493
494 TAILQ_INSERT_TAIL(&ap->ap_queue, ape, ape_queue);
495 ap->ap_inserts++;
496 ap->ap_qlen++;
497 ap->ap_qbyteslen += ape->ape_record_len;
498 selwakeuppri(&ap->ap_selinfo, PSOCK);
499 KNOTE_LOCKED(&ap->ap_selinfo.si_note, 0);
500 if (ap->ap_flags & AUDIT_PIPE_ASYNC)
501 pgsigio(&ap->ap_sigio, SIGIO, 0);
502 cv_broadcast(&ap->ap_cv);
503 }
504
505 /*
506 * audit_pipe_submit(): audit_worker submits audit records via this
507 * interface, which arranges for them to be delivered to pipe queues.
508 */
509 void
510 audit_pipe_submit(au_id_t auid, au_event_t event, au_class_t class, int sorf,
511 int trail_select, void *record, u_int record_len)
512 {
513 struct audit_pipe *ap;
514
515 /*
516 * Lockless read to avoid lock overhead if pipes are not in use.
517 */
518 if (TAILQ_FIRST(&audit_pipe_list) == NULL)
519 return;
520
521 AUDIT_PIPE_LIST_RLOCK();
522 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) {
523 AUDIT_PIPE_LOCK(ap);
524 if (audit_pipe_preselect_check(ap, auid, event, class, sorf,
525 trail_select))
526 audit_pipe_append(ap, record, record_len);
527 AUDIT_PIPE_UNLOCK(ap);
528 }
529 AUDIT_PIPE_LIST_RUNLOCK();
530
531 /* Unlocked increment. */
532 audit_pipe_records++;
533 }
534
535 /*
536 * audit_pipe_submit_user(): the same as audit_pipe_submit(), except that
537 * since we don't currently have selection information available, it is
538 * delivered to the pipe unconditionally.
539 *
540 * XXXRW: This is a bug. The BSM check routine for submitting a user record
541 * should parse that information and return it.
542 */
543 void
544 audit_pipe_submit_user(void *record, u_int record_len)
545 {
546 struct audit_pipe *ap;
547
548 /*
549 * Lockless read to avoid lock overhead if pipes are not in use.
550 */
551 if (TAILQ_FIRST(&audit_pipe_list) == NULL)
552 return;
553
554 AUDIT_PIPE_LIST_RLOCK();
555 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) {
556 AUDIT_PIPE_LOCK(ap);
557 audit_pipe_append(ap, record, record_len);
558 AUDIT_PIPE_UNLOCK(ap);
559 }
560 AUDIT_PIPE_LIST_RUNLOCK();
561
562 /* Unlocked increment. */
563 audit_pipe_records++;
564 }
565
566 /*
567 * Allocate a new audit pipe. Connects the pipe, on success, to the global
568 * list and updates statistics.
569 */
570 static struct audit_pipe *
571 audit_pipe_alloc(void)
572 {
573 struct audit_pipe *ap;
574
575 AUDIT_PIPE_LIST_WLOCK_ASSERT();
576
577 ap = malloc(sizeof(*ap), M_AUDIT_PIPE, M_NOWAIT | M_ZERO);
578 if (ap == NULL)
579 return (NULL);
580 ap->ap_qlimit = AUDIT_PIPE_QLIMIT_DEFAULT;
581 TAILQ_INIT(&ap->ap_queue);
582 knlist_init_mtx(&ap->ap_selinfo.si_note, AUDIT_PIPE_MTX(ap));
583 AUDIT_PIPE_LOCK_INIT(ap);
584 AUDIT_PIPE_SX_LOCK_INIT(ap);
585 cv_init(&ap->ap_cv, "audit_pipe");
586
587 /*
588 * Default flags, naflags, and auid-specific preselection settings to
589 * 0. Initialize the mode to the global trail so that if praudit(1)
590 * is run on /dev/auditpipe, it sees events associated with the
591 * default trail. Pipe-aware application can clear the flag, set
592 * custom masks, and flush the pipe as needed.
593 */
594 bzero(&ap->ap_preselect_flags, sizeof(ap->ap_preselect_flags));
595 bzero(&ap->ap_preselect_naflags, sizeof(ap->ap_preselect_naflags));
596 TAILQ_INIT(&ap->ap_preselect_list);
597 ap->ap_preselect_mode = AUDITPIPE_PRESELECT_MODE_TRAIL;
598
599 /*
600 * Add to global list and update global statistics.
601 */
602 TAILQ_INSERT_HEAD(&audit_pipe_list, ap, ap_list);
603 audit_pipe_count++;
604 audit_pipe_ever++;
605
606 return (ap);
607 }
608
609 /*
610 * Flush all records currently present in an audit pipe; assume mutex is held.
611 */
612 static void
613 audit_pipe_flush(struct audit_pipe *ap)
614 {
615 struct audit_pipe_entry *ape;
616
617 AUDIT_PIPE_LOCK_ASSERT(ap);
618
619 while ((ape = TAILQ_FIRST(&ap->ap_queue)) != NULL) {
620 TAILQ_REMOVE(&ap->ap_queue, ape, ape_queue);
621 ap->ap_qbyteslen -= ape->ape_record_len;
622 audit_pipe_entry_free(ape);
623 ap->ap_qlen--;
624 }
625 ap->ap_qoffset = 0;
626
627 KASSERT(ap->ap_qlen == 0, ("audit_pipe_free: ap_qbyteslen"));
628 KASSERT(ap->ap_qbyteslen == 0, ("audit_pipe_flush: ap_qbyteslen"));
629 }
630
631 /*
632 * Free an audit pipe; this means freeing all preselection state and all
633 * records in the pipe. Assumes global write lock and pipe mutex are held to
634 * prevent any new records from being inserted during the free, and that the
635 * audit pipe is still on the global list.
636 */
637 static void
638 audit_pipe_free(struct audit_pipe *ap)
639 {
640
641 AUDIT_PIPE_LIST_WLOCK_ASSERT();
642 AUDIT_PIPE_LOCK_ASSERT(ap);
643
644 audit_pipe_preselect_flush_locked(ap);
645 audit_pipe_flush(ap);
646 cv_destroy(&ap->ap_cv);
647 AUDIT_PIPE_SX_LOCK_DESTROY(ap);
648 AUDIT_PIPE_LOCK_DESTROY(ap);
649 seldrain(&ap->ap_selinfo);
650 knlist_destroy(&ap->ap_selinfo.si_note);
651 TAILQ_REMOVE(&audit_pipe_list, ap, ap_list);
652 free(ap, M_AUDIT_PIPE);
653 audit_pipe_count--;
654 }
655
656 /*
657 * Audit pipe clone routine -- provide specific requested audit pipe, or a
658 * fresh one if a specific one is not requested.
659 */
660 static void
661 audit_pipe_clone(void *arg, struct ucred *cred, char *name, int namelen,
662 struct cdev **dev)
663 {
664 int i, u;
665
666 if (*dev != NULL)
667 return;
668
669 if (strcmp(name, AUDIT_PIPE_NAME) == 0)
670 u = -1;
671 else if (dev_stdclone(name, NULL, AUDIT_PIPE_NAME, &u) != 1)
672 return;
673
674 i = clone_create(&audit_pipe_clones, &audit_pipe_cdevsw, &u, dev, 0);
675 if (i)
676 *dev = make_dev_credf(MAKEDEV_REF, &audit_pipe_cdevsw, u, cred,
677 UID_ROOT, GID_WHEEL, 0600, "%s%d", AUDIT_PIPE_NAME, u);
678 }
679
680 /*
681 * Audit pipe open method. Explicit privilege check isn't used as this
682 * allows file permissions on the special device to be used to grant audit
683 * review access. Those file permissions should be managed carefully.
684 */
685 static int
686 audit_pipe_open(struct cdev *dev, int oflags, int devtype, struct thread *td)
687 {
688 struct audit_pipe *ap;
689
690 AUDIT_PIPE_LIST_WLOCK();
691 ap = dev->si_drv1;
692 if (ap == NULL) {
693 ap = audit_pipe_alloc();
694 if (ap == NULL) {
695 AUDIT_PIPE_LIST_WUNLOCK();
696 return (ENOMEM);
697 }
698 dev->si_drv1 = ap;
699 } else {
700 KASSERT(ap->ap_open, ("audit_pipe_open: ap && !ap_open"));
701 AUDIT_PIPE_LIST_WUNLOCK();
702 return (EBUSY);
703 }
704 ap->ap_open = 1; /* No lock required yet. */
705 AUDIT_PIPE_LIST_WUNLOCK();
706 fsetown(td->td_proc->p_pid, &ap->ap_sigio);
707 return (0);
708 }
709
710 /*
711 * Close audit pipe, tear down all records, etc.
712 */
713 static int
714 audit_pipe_close(struct cdev *dev, int fflag, int devtype, struct thread *td)
715 {
716 struct audit_pipe *ap;
717
718 ap = dev->si_drv1;
719 KASSERT(ap != NULL, ("audit_pipe_close: ap == NULL"));
720 KASSERT(ap->ap_open, ("audit_pipe_close: !ap_open"));
721
722 funsetown(&ap->ap_sigio);
723 AUDIT_PIPE_LIST_WLOCK();
724 AUDIT_PIPE_LOCK(ap);
725 ap->ap_open = 0;
726 audit_pipe_free(ap);
727 dev->si_drv1 = NULL;
728 AUDIT_PIPE_LIST_WUNLOCK();
729 return (0);
730 }
731
732 /*
733 * Audit pipe ioctl() routine. Handle file descriptor and audit pipe layer
734 * commands.
735 */
736 static int
737 audit_pipe_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag,
738 struct thread *td)
739 {
740 struct auditpipe_ioctl_preselect *aip;
741 struct audit_pipe *ap;
742 au_mask_t *maskp;
743 int error, mode;
744 au_id_t auid;
745
746 ap = dev->si_drv1;
747 KASSERT(ap != NULL, ("audit_pipe_ioctl: ap == NULL"));
748
749 /*
750 * Audit pipe ioctls: first come standard device node ioctls, then
751 * manipulation of pipe settings, and finally, statistics query
752 * ioctls.
753 */
754 switch (cmd) {
755 case FIONBIO:
756 AUDIT_PIPE_LOCK(ap);
757 if (*(int *)data)
758 ap->ap_flags |= AUDIT_PIPE_NBIO;
759 else
760 ap->ap_flags &= ~AUDIT_PIPE_NBIO;
761 AUDIT_PIPE_UNLOCK(ap);
762 error = 0;
763 break;
764
765 case FIONREAD:
766 AUDIT_PIPE_LOCK(ap);
767 *(int *)data = ap->ap_qbyteslen - ap->ap_qoffset;
768 AUDIT_PIPE_UNLOCK(ap);
769 error = 0;
770 break;
771
772 case FIOASYNC:
773 AUDIT_PIPE_LOCK(ap);
774 if (*(int *)data)
775 ap->ap_flags |= AUDIT_PIPE_ASYNC;
776 else
777 ap->ap_flags &= ~AUDIT_PIPE_ASYNC;
778 AUDIT_PIPE_UNLOCK(ap);
779 error = 0;
780 break;
781
782 case FIOSETOWN:
783 error = fsetown(*(int *)data, &ap->ap_sigio);
784 break;
785
786 case FIOGETOWN:
787 *(int *)data = fgetown(&ap->ap_sigio);
788 error = 0;
789 break;
790
791 case AUDITPIPE_GET_QLEN:
792 *(u_int *)data = ap->ap_qlen;
793 error = 0;
794 break;
795
796 case AUDITPIPE_GET_QLIMIT:
797 *(u_int *)data = ap->ap_qlimit;
798 error = 0;
799 break;
800
801 case AUDITPIPE_SET_QLIMIT:
802 /* Lockless integer write. */
803 if (*(u_int *)data >= AUDIT_PIPE_QLIMIT_MIN ||
804 *(u_int *)data <= AUDIT_PIPE_QLIMIT_MAX) {
805 ap->ap_qlimit = *(u_int *)data;
806 error = 0;
807 } else
808 error = EINVAL;
809 break;
810
811 case AUDITPIPE_GET_QLIMIT_MIN:
812 *(u_int *)data = AUDIT_PIPE_QLIMIT_MIN;
813 error = 0;
814 break;
815
816 case AUDITPIPE_GET_QLIMIT_MAX:
817 *(u_int *)data = AUDIT_PIPE_QLIMIT_MAX;
818 error = 0;
819 break;
820
821 case AUDITPIPE_GET_PRESELECT_FLAGS:
822 AUDIT_PIPE_LOCK(ap);
823 maskp = (au_mask_t *)data;
824 *maskp = ap->ap_preselect_flags;
825 AUDIT_PIPE_UNLOCK(ap);
826 error = 0;
827 break;
828
829 case AUDITPIPE_SET_PRESELECT_FLAGS:
830 AUDIT_PIPE_LOCK(ap);
831 maskp = (au_mask_t *)data;
832 ap->ap_preselect_flags = *maskp;
833 AUDIT_PIPE_UNLOCK(ap);
834 error = 0;
835 break;
836
837 case AUDITPIPE_GET_PRESELECT_NAFLAGS:
838 AUDIT_PIPE_LOCK(ap);
839 maskp = (au_mask_t *)data;
840 *maskp = ap->ap_preselect_naflags;
841 AUDIT_PIPE_UNLOCK(ap);
842 error = 0;
843 break;
844
845 case AUDITPIPE_SET_PRESELECT_NAFLAGS:
846 AUDIT_PIPE_LOCK(ap);
847 maskp = (au_mask_t *)data;
848 ap->ap_preselect_naflags = *maskp;
849 AUDIT_PIPE_UNLOCK(ap);
850 error = 0;
851 break;
852
853 case AUDITPIPE_GET_PRESELECT_AUID:
854 aip = (struct auditpipe_ioctl_preselect *)data;
855 error = audit_pipe_preselect_get(ap, aip->aip_auid,
856 &aip->aip_mask);
857 break;
858
859 case AUDITPIPE_SET_PRESELECT_AUID:
860 aip = (struct auditpipe_ioctl_preselect *)data;
861 audit_pipe_preselect_set(ap, aip->aip_auid, aip->aip_mask);
862 error = 0;
863 break;
864
865 case AUDITPIPE_DELETE_PRESELECT_AUID:
866 auid = *(au_id_t *)data;
867 error = audit_pipe_preselect_delete(ap, auid);
868 break;
869
870 case AUDITPIPE_FLUSH_PRESELECT_AUID:
871 audit_pipe_preselect_flush(ap);
872 error = 0;
873 break;
874
875 case AUDITPIPE_GET_PRESELECT_MODE:
876 AUDIT_PIPE_LOCK(ap);
877 *(int *)data = ap->ap_preselect_mode;
878 AUDIT_PIPE_UNLOCK(ap);
879 error = 0;
880 break;
881
882 case AUDITPIPE_SET_PRESELECT_MODE:
883 mode = *(int *)data;
884 switch (mode) {
885 case AUDITPIPE_PRESELECT_MODE_TRAIL:
886 case AUDITPIPE_PRESELECT_MODE_LOCAL:
887 AUDIT_PIPE_LOCK(ap);
888 ap->ap_preselect_mode = mode;
889 AUDIT_PIPE_UNLOCK(ap);
890 error = 0;
891 break;
892
893 default:
894 error = EINVAL;
895 }
896 break;
897
898 case AUDITPIPE_FLUSH:
899 if (AUDIT_PIPE_SX_XLOCK_SIG(ap) != 0)
900 return (EINTR);
901 AUDIT_PIPE_LOCK(ap);
902 audit_pipe_flush(ap);
903 AUDIT_PIPE_UNLOCK(ap);
904 AUDIT_PIPE_SX_XUNLOCK(ap);
905 error = 0;
906 break;
907
908 case AUDITPIPE_GET_MAXAUDITDATA:
909 *(u_int *)data = MAXAUDITDATA;
910 error = 0;
911 break;
912
913 case AUDITPIPE_GET_INSERTS:
914 *(u_int *)data = ap->ap_inserts;
915 error = 0;
916 break;
917
918 case AUDITPIPE_GET_READS:
919 *(u_int *)data = ap->ap_reads;
920 error = 0;
921 break;
922
923 case AUDITPIPE_GET_DROPS:
924 *(u_int *)data = ap->ap_drops;
925 error = 0;
926 break;
927
928 case AUDITPIPE_GET_TRUNCATES:
929 *(u_int *)data = 0;
930 error = 0;
931 break;
932
933 default:
934 error = ENOTTY;
935 }
936 return (error);
937 }
938
939 /*
940 * Audit pipe read. Read one or more partial or complete records to user
941 * memory.
942 */
943 static int
944 audit_pipe_read(struct cdev *dev, struct uio *uio, int flag)
945 {
946 struct audit_pipe_entry *ape;
947 struct audit_pipe *ap;
948 u_int toread;
949 int error;
950
951 ap = dev->si_drv1;
952 KASSERT(ap != NULL, ("audit_pipe_read: ap == NULL"));
953
954 /*
955 * We hold an sx(9) lock over read and flush because we rely on the
956 * stability of a record in the queue during uiomove(9).
957 */
958 if (AUDIT_PIPE_SX_XLOCK_SIG(ap) != 0)
959 return (EINTR);
960 AUDIT_PIPE_LOCK(ap);
961 while (TAILQ_EMPTY(&ap->ap_queue)) {
962 if (ap->ap_flags & AUDIT_PIPE_NBIO) {
963 AUDIT_PIPE_UNLOCK(ap);
964 AUDIT_PIPE_SX_XUNLOCK(ap);
965 return (EAGAIN);
966 }
967 error = cv_wait_sig(&ap->ap_cv, AUDIT_PIPE_MTX(ap));
968 if (error) {
969 AUDIT_PIPE_UNLOCK(ap);
970 AUDIT_PIPE_SX_XUNLOCK(ap);
971 return (error);
972 }
973 }
974
975 /*
976 * Copy as many remaining bytes from the current record to userspace
977 * as we can. Keep processing records until we run out of records in
978 * the queue, or until the user buffer runs out of space.
979 *
980 * Note: we rely on the SX lock to maintain ape's stability here.
981 */
982 ap->ap_reads++;
983 while ((ape = TAILQ_FIRST(&ap->ap_queue)) != NULL &&
984 uio->uio_resid > 0) {
985 AUDIT_PIPE_LOCK_ASSERT(ap);
986
987 KASSERT(ape->ape_record_len > ap->ap_qoffset,
988 ("audit_pipe_read: record_len > qoffset (1)"));
989 toread = MIN(ape->ape_record_len - ap->ap_qoffset,
990 uio->uio_resid);
991 AUDIT_PIPE_UNLOCK(ap);
992 error = uiomove((char *)ape->ape_record + ap->ap_qoffset,
993 toread, uio);
994 if (error) {
995 AUDIT_PIPE_SX_XUNLOCK(ap);
996 return (error);
997 }
998
999 /*
1000 * If the copy succeeded, update book-keeping, and if no
1001 * bytes remain in the current record, free it.
1002 */
1003 AUDIT_PIPE_LOCK(ap);
1004 KASSERT(TAILQ_FIRST(&ap->ap_queue) == ape,
1005 ("audit_pipe_read: queue out of sync after uiomove"));
1006 ap->ap_qoffset += toread;
1007 KASSERT(ape->ape_record_len >= ap->ap_qoffset,
1008 ("audit_pipe_read: record_len >= qoffset (2)"));
1009 if (ap->ap_qoffset == ape->ape_record_len) {
1010 TAILQ_REMOVE(&ap->ap_queue, ape, ape_queue);
1011 ap->ap_qbyteslen -= ape->ape_record_len;
1012 audit_pipe_entry_free(ape);
1013 ap->ap_qlen--;
1014 ap->ap_qoffset = 0;
1015 }
1016 }
1017 AUDIT_PIPE_UNLOCK(ap);
1018 AUDIT_PIPE_SX_XUNLOCK(ap);
1019 return (0);
1020 }
1021
1022 /*
1023 * Audit pipe poll.
1024 */
1025 static int
1026 audit_pipe_poll(struct cdev *dev, int events, struct thread *td)
1027 {
1028 struct audit_pipe *ap;
1029 int revents;
1030
1031 revents = 0;
1032 ap = dev->si_drv1;
1033 KASSERT(ap != NULL, ("audit_pipe_poll: ap == NULL"));
1034
1035 if (events & (POLLIN | POLLRDNORM)) {
1036 AUDIT_PIPE_LOCK(ap);
1037 if (TAILQ_FIRST(&ap->ap_queue) != NULL)
1038 revents |= events & (POLLIN | POLLRDNORM);
1039 else
1040 selrecord(td, &ap->ap_selinfo);
1041 AUDIT_PIPE_UNLOCK(ap);
1042 }
1043 return (revents);
1044 }
1045
1046 /*
1047 * Audit pipe kqfilter.
1048 */
1049 static int
1050 audit_pipe_kqfilter(struct cdev *dev, struct knote *kn)
1051 {
1052 struct audit_pipe *ap;
1053
1054 ap = dev->si_drv1;
1055 KASSERT(ap != NULL, ("audit_pipe_kqfilter: ap == NULL"));
1056
1057 if (kn->kn_filter != EVFILT_READ)
1058 return (EINVAL);
1059
1060 kn->kn_fop = &audit_pipe_read_filterops;
1061 kn->kn_hook = ap;
1062
1063 AUDIT_PIPE_LOCK(ap);
1064 knlist_add(&ap->ap_selinfo.si_note, kn, 1);
1065 AUDIT_PIPE_UNLOCK(ap);
1066 return (0);
1067 }
1068
1069 /*
1070 * Return true if there are records available for reading on the pipe.
1071 */
1072 static int
1073 audit_pipe_kqread(struct knote *kn, long hint)
1074 {
1075 struct audit_pipe *ap;
1076
1077 ap = (struct audit_pipe *)kn->kn_hook;
1078 KASSERT(ap != NULL, ("audit_pipe_kqread: ap == NULL"));
1079 AUDIT_PIPE_LOCK_ASSERT(ap);
1080
1081 if (ap->ap_qlen != 0) {
1082 kn->kn_data = ap->ap_qbyteslen - ap->ap_qoffset;
1083 return (1);
1084 } else {
1085 kn->kn_data = 0;
1086 return (0);
1087 }
1088 }
1089
1090 /*
1091 * Detach kqueue state from audit pipe.
1092 */
1093 static void
1094 audit_pipe_kqdetach(struct knote *kn)
1095 {
1096 struct audit_pipe *ap;
1097
1098 ap = (struct audit_pipe *)kn->kn_hook;
1099 KASSERT(ap != NULL, ("audit_pipe_kqdetach: ap == NULL"));
1100
1101 AUDIT_PIPE_LOCK(ap);
1102 knlist_remove(&ap->ap_selinfo.si_note, kn, 1);
1103 AUDIT_PIPE_UNLOCK(ap);
1104 }
1105
1106 /*
1107 * Initialize the audit pipe system.
1108 */
1109 static void
1110 audit_pipe_init(void *unused)
1111 {
1112
1113 TAILQ_INIT(&audit_pipe_list);
1114 AUDIT_PIPE_LIST_LOCK_INIT();
1115
1116 clone_setup(&audit_pipe_clones);
1117 audit_pipe_eh_tag = EVENTHANDLER_REGISTER(dev_clone,
1118 audit_pipe_clone, 0, 1000);
1119 if (audit_pipe_eh_tag == NULL)
1120 panic("audit_pipe_init: EVENTHANDLER_REGISTER");
1121 }
1122
1123 SYSINIT(audit_pipe_init, SI_SUB_DRIVERS, SI_ORDER_MIDDLE, audit_pipe_init,
1124 NULL);
Cache object: 6e057ebdcd25452fde20d8a1febf882c
|