The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/security/audit/audit_worker.c

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /*-
    2  * Copyright (c) 1999-2008 Apple Inc.
    3  * Copyright (c) 2006-2008 Robert N. M. Watson
    4  * All rights reserved.
    5  *
    6  * Redistribution and use in source and binary forms, with or without
    7  * modification, are permitted provided that the following conditions
    8  * are met:
    9  * 1.  Redistributions of source code must retain the above copyright
   10  *     notice, this list of conditions and the following disclaimer.
   11  * 2.  Redistributions in binary form must reproduce the above copyright
   12  *     notice, this list of conditions and the following disclaimer in the
   13  *     documentation and/or other materials provided with the distribution.
   14  * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
   15  *     its contributors may be used to endorse or promote products derived
   16  *     from this software without specific prior written permission.
   17  *
   18  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
   19  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   20  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   21  * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
   22  * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   23  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   24  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   25  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
   26  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
   27  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
   28  * POSSIBILITY OF SUCH DAMAGE.
   29  */
   30 
   31 #include <sys/cdefs.h>
   32 __FBSDID("$FreeBSD: releng/11.0/sys/security/audit/audit_worker.c 294137 2016-01-16 10:06:33Z kib $");
   33 
   34 #include <sys/param.h>
   35 #include <sys/condvar.h>
   36 #include <sys/conf.h>
   37 #include <sys/file.h>
   38 #include <sys/filedesc.h>
   39 #include <sys/fcntl.h>
   40 #include <sys/ipc.h>
   41 #include <sys/kernel.h>
   42 #include <sys/kthread.h>
   43 #include <sys/malloc.h>
   44 #include <sys/mount.h>
   45 #include <sys/namei.h>
   46 #include <sys/proc.h>
   47 #include <sys/queue.h>
   48 #include <sys/socket.h>
   49 #include <sys/socketvar.h>
   50 #include <sys/protosw.h>
   51 #include <sys/domain.h>
   52 #include <sys/sx.h>
   53 #include <sys/sysproto.h>
   54 #include <sys/sysent.h>
   55 #include <sys/systm.h>
   56 #include <sys/ucred.h>
   57 #include <sys/uio.h>
   58 #include <sys/un.h>
   59 #include <sys/unistd.h>
   60 #include <sys/vnode.h>
   61 
   62 #include <bsm/audit.h>
   63 #include <bsm/audit_internal.h>
   64 #include <bsm/audit_kevents.h>
   65 
   66 #include <netinet/in.h>
   67 #include <netinet/in_pcb.h>
   68 
   69 #include <security/audit/audit.h>
   70 #include <security/audit/audit_private.h>
   71 
   72 #include <vm/uma.h>
   73 
   74 #include <machine/stdarg.h>
   75 
   76 /*
   77  * Worker thread that will schedule disk I/O, etc.
   78  */
   79 static struct proc              *audit_thread;
   80 
   81 /*
   82  * audit_cred and audit_vp are the stored credential and vnode to use for
   83  * active audit trail.  They are protected by the audit worker lock, which
   84  * will be held across all I/O and all rotation to prevent them from being
   85  * replaced (rotated) while in use.  The audit_file_rotate_wait flag is set
   86  * when the kernel has delivered a trigger to auditd to rotate the trail, and
   87  * is cleared when the next rotation takes place.  It is also protected by
   88  * the audit worker lock.
   89  */
   90 static int               audit_file_rotate_wait;
   91 static struct ucred     *audit_cred;
   92 static struct vnode     *audit_vp;
   93 static off_t             audit_size;
   94 static struct sx         audit_worker_lock;
   95 
   96 #define AUDIT_WORKER_LOCK_INIT()        sx_init(&audit_worker_lock, \
   97                                             "audit_worker_lock");
   98 #define AUDIT_WORKER_LOCK_ASSERT()      sx_assert(&audit_worker_lock, \
   99                                             SA_XLOCKED)
  100 #define AUDIT_WORKER_LOCK()             sx_xlock(&audit_worker_lock)
  101 #define AUDIT_WORKER_UNLOCK()           sx_xunlock(&audit_worker_lock)
  102 
  103 static void
  104 audit_worker_sync_vp(struct vnode *vp, struct mount *mp, const char *fmt, ...)
  105 {
  106         struct mount *mp1;
  107         int error;
  108         va_list va;
  109 
  110         va_start(va, fmt);
  111         error = vn_start_write(vp, &mp1, 0);
  112         if (error == 0) {
  113                 VOP_LOCK(vp, LK_EXCLUSIVE | LK_RETRY);
  114                 (void)VOP_FSYNC(vp, MNT_WAIT, curthread);
  115                 VOP_UNLOCK(vp, 0);
  116                 vn_finished_write(mp1);
  117         }
  118         vfs_unbusy(mp);
  119         vpanic(fmt, va);
  120         va_end(va);
  121 }
  122 
  123 /*
  124  * Write an audit record to a file, performed as the last stage after both
  125  * preselection and BSM conversion.  Both space management and write failures
  126  * are handled in this function.
  127  *
  128  * No attempt is made to deal with possible failure to deliver a trigger to
  129  * the audit daemon, since the message is asynchronous anyway.
  130  */
  131 static void
  132 audit_record_write(struct vnode *vp, struct ucred *cred, void *data,
  133     size_t len)
  134 {
  135         static struct timeval last_lowspace_trigger;
  136         static struct timeval last_fail;
  137         static int cur_lowspace_trigger;
  138         struct statfs *mnt_stat;
  139         struct mount *mp;
  140         int error;
  141         static int cur_fail;
  142         long temp;
  143 
  144         AUDIT_WORKER_LOCK_ASSERT();
  145 
  146         if (vp == NULL)
  147                 return;
  148 
  149         mp = vp->v_mount;
  150         if (mp == NULL) {
  151                 error = EINVAL;
  152                 goto fail;
  153         }
  154         error = vfs_busy(mp, 0);
  155         if (error != 0) {
  156                 mp = NULL;
  157                 goto fail;
  158         }
  159         mnt_stat = &mp->mnt_stat;
  160 
  161         /*
  162          * First, gather statistics on the audit log file and file system so
  163          * that we know how we're doing on space.  Consider failure of these
  164          * operations to indicate a future inability to write to the file.
  165          */
  166         error = VFS_STATFS(mp, mnt_stat);
  167         if (error != 0)
  168                 goto fail;
  169 
  170         /*
  171          * We handle four different space-related limits:
  172          *
  173          * - A fixed (hard) limit on the minimum free blocks we require on
  174          *   the file system, and results in record loss, a trigger, and
  175          *   possible fail stop due to violating invariants.
  176          *
  177          * - An administrative (soft) limit, which when fallen below, results
  178          *   in the kernel notifying the audit daemon of low space.
  179          *
  180          * - An audit trail size limit, which when gone above, results in the
  181          *   kernel notifying the audit daemon that rotation is desired.
  182          *
  183          * - The total depth of the kernel audit record exceeding free space,
  184          *   which can lead to possible fail stop (with drain), in order to
  185          *   prevent violating invariants.  Failure here doesn't halt
  186          *   immediately, but prevents new records from being generated.
  187          *
  188          * Possibly, the last of these should be handled differently, always
  189          * allowing a full queue to be lost, rather than trying to prevent
  190          * loss.
  191          *
  192          * First, handle the hard limit, which generates a trigger and may
  193          * fail stop.  This is handled in the same manner as ENOSPC from
  194          * VOP_WRITE, and results in record loss.
  195          */
  196         if (mnt_stat->f_bfree < AUDIT_HARD_LIMIT_FREE_BLOCKS) {
  197                 error = ENOSPC;
  198                 goto fail_enospc;
  199         }
  200 
  201         /*
  202          * Second, handle falling below the soft limit, if defined; we send
  203          * the daemon a trigger and continue processing the record.  Triggers
  204          * are limited to 1/sec.
  205          */
  206         if (audit_qctrl.aq_minfree != 0) {
  207                 temp = mnt_stat->f_blocks / (100 / audit_qctrl.aq_minfree);
  208                 if (mnt_stat->f_bfree < temp) {
  209                         if (ppsratecheck(&last_lowspace_trigger,
  210                             &cur_lowspace_trigger, 1)) {
  211                                 (void)audit_send_trigger(
  212                                     AUDIT_TRIGGER_LOW_SPACE);
  213                                 printf("Warning: disk space low (< %d%% free) "
  214                                     "on audit log file-system\n",
  215                                     audit_qctrl.aq_minfree);
  216                         }
  217                 }
  218         }
  219 
  220         /*
  221          * If the current file is getting full, generate a rotation trigger
  222          * to the daemon.  This is only approximate, which is fine as more
  223          * records may be generated before the daemon rotates the file.
  224          */
  225         if (audit_fstat.af_filesz != 0 &&
  226             audit_size >= audit_fstat.af_filesz * (audit_file_rotate_wait + 1)) {
  227                 AUDIT_WORKER_LOCK_ASSERT();
  228 
  229                 audit_file_rotate_wait++;
  230                 (void)audit_send_trigger(AUDIT_TRIGGER_ROTATE_KERNEL);
  231         }
  232 
  233         /*
  234          * If the estimated amount of audit data in the audit event queue
  235          * (plus records allocated but not yet queued) has reached the amount
  236          * of free space on the disk, then we need to go into an audit fail
  237          * stop state, in which we do not permit the allocation/committing of
  238          * any new audit records.  We continue to process records but don't
  239          * allow any activities that might generate new records.  In the
  240          * future, we might want to detect when space is available again and
  241          * allow operation to continue, but this behavior is sufficient to
  242          * meet fail stop requirements in CAPP.
  243          */
  244         if (audit_fail_stop) {
  245                 if ((unsigned long)((audit_q_len + audit_pre_q_len + 1) *
  246                     MAX_AUDIT_RECORD_SIZE) / mnt_stat->f_bsize >=
  247                     (unsigned long)(mnt_stat->f_bfree)) {
  248                         if (ppsratecheck(&last_fail, &cur_fail, 1))
  249                                 printf("audit_record_write: free space "
  250                                     "below size of audit queue, failing "
  251                                     "stop\n");
  252                         audit_in_failure = 1;
  253                 } else if (audit_in_failure) {
  254                         /*
  255                          * Note: if we want to handle recovery, this is the
  256                          * spot to do it: unset audit_in_failure, and issue a
  257                          * wakeup on the cv.
  258                          */
  259                 }
  260         }
  261 
  262         error = vn_rdwr(UIO_WRITE, vp, data, len, (off_t)0, UIO_SYSSPACE,
  263             IO_APPEND|IO_UNIT, cred, NULL, NULL, curthread);
  264         if (error == ENOSPC)
  265                 goto fail_enospc;
  266         else if (error)
  267                 goto fail;
  268         AUDIT_WORKER_LOCK_ASSERT();
  269         audit_size += len;
  270 
  271         /*
  272          * Catch completion of a queue drain here; if we're draining and the
  273          * queue is now empty, fail stop.  That audit_fail_stop is implicitly
  274          * true, since audit_in_failure can only be set of audit_fail_stop is
  275          * set.
  276          *
  277          * Note: if we handle recovery from audit_in_failure, then we need to
  278          * make panic here conditional.
  279          */
  280         if (audit_in_failure) {
  281                 if (audit_q_len == 0 && audit_pre_q_len == 0) {
  282                         audit_worker_sync_vp(vp, mp,
  283                             "Audit store overflow; record queue drained.");
  284                 }
  285         }
  286 
  287         vfs_unbusy(mp);
  288         return;
  289 
  290 fail_enospc:
  291         /*
  292          * ENOSPC is considered a special case with respect to failures, as
  293          * this can reflect either our preemptive detection of insufficient
  294          * space, or ENOSPC returned by the vnode write call.
  295          */
  296         if (audit_fail_stop) {
  297                 audit_worker_sync_vp(vp, mp,
  298                     "Audit log space exhausted and fail-stop set.");
  299         }
  300         (void)audit_send_trigger(AUDIT_TRIGGER_NO_SPACE);
  301         audit_suspended = 1;
  302 
  303         /* FALLTHROUGH */
  304 fail:
  305         /*
  306          * We have failed to write to the file, so the current record is
  307          * lost, which may require an immediate system halt.
  308          */
  309         if (audit_panic_on_write_fail) {
  310                 audit_worker_sync_vp(vp, mp,
  311                     "audit_worker: write error %d\n", error);
  312         } else if (ppsratecheck(&last_fail, &cur_fail, 1))
  313                 printf("audit_worker: write error %d\n", error);
  314         if (mp != NULL)
  315                 vfs_unbusy(mp);
  316 }
  317 
  318 /*
  319  * Given a kernel audit record, process as required.  Kernel audit records
  320  * are converted to one, or possibly two, BSM records, depending on whether
  321  * there is a user audit record present also.  Kernel records need be
  322  * converted to BSM before they can be written out.  Both types will be
  323  * written to disk, and audit pipes.
  324  */
  325 static void
  326 audit_worker_process_record(struct kaudit_record *ar)
  327 {
  328         struct au_record *bsm;
  329         au_class_t class;
  330         au_event_t event;
  331         au_id_t auid;
  332         int error, sorf;
  333         int locked;
  334 
  335         /*
  336          * We hold the audit worker lock over both writes, if there are two,
  337          * so that the two records won't be split across a rotation and end
  338          * up in two different trail files.
  339          */
  340         if (((ar->k_ar_commit & AR_COMMIT_USER) &&
  341             (ar->k_ar_commit & AR_PRESELECT_USER_TRAIL)) ||
  342             (ar->k_ar_commit & AR_PRESELECT_TRAIL)) {
  343                 AUDIT_WORKER_LOCK();
  344                 locked = 1;
  345         } else
  346                 locked = 0;
  347 
  348         /*
  349          * First, handle the user record, if any: commit to the system trail
  350          * and audit pipes as selected.
  351          */
  352         if ((ar->k_ar_commit & AR_COMMIT_USER) &&
  353             (ar->k_ar_commit & AR_PRESELECT_USER_TRAIL)) {
  354                 AUDIT_WORKER_LOCK_ASSERT();
  355                 audit_record_write(audit_vp, audit_cred, ar->k_udata,
  356                     ar->k_ulen);
  357         }
  358 
  359         if ((ar->k_ar_commit & AR_COMMIT_USER) &&
  360             (ar->k_ar_commit & AR_PRESELECT_USER_PIPE))
  361                 audit_pipe_submit_user(ar->k_udata, ar->k_ulen);
  362 
  363         if (!(ar->k_ar_commit & AR_COMMIT_KERNEL) ||
  364             ((ar->k_ar_commit & AR_PRESELECT_PIPE) == 0 &&
  365             (ar->k_ar_commit & AR_PRESELECT_TRAIL) == 0))
  366                 goto out;
  367 
  368         auid = ar->k_ar.ar_subj_auid;
  369         event = ar->k_ar.ar_event;
  370         class = au_event_class(event);
  371         if (ar->k_ar.ar_errno == 0)
  372                 sorf = AU_PRS_SUCCESS;
  373         else
  374                 sorf = AU_PRS_FAILURE;
  375 
  376         error = kaudit_to_bsm(ar, &bsm);
  377         switch (error) {
  378         case BSM_NOAUDIT:
  379                 goto out;
  380 
  381         case BSM_FAILURE:
  382                 printf("audit_worker_process_record: BSM_FAILURE\n");
  383                 goto out;
  384 
  385         case BSM_SUCCESS:
  386                 break;
  387 
  388         default:
  389                 panic("kaudit_to_bsm returned %d", error);
  390         }
  391 
  392         if (ar->k_ar_commit & AR_PRESELECT_TRAIL) {
  393                 AUDIT_WORKER_LOCK_ASSERT();
  394                 audit_record_write(audit_vp, audit_cred, bsm->data, bsm->len);
  395         }
  396 
  397         if (ar->k_ar_commit & AR_PRESELECT_PIPE)
  398                 audit_pipe_submit(auid, event, class, sorf,
  399                     ar->k_ar_commit & AR_PRESELECT_TRAIL, bsm->data,
  400                     bsm->len);
  401 
  402         kau_free(bsm);
  403 out:
  404         if (locked)
  405                 AUDIT_WORKER_UNLOCK();
  406 }
  407 
  408 /*
  409  * The audit_worker thread is responsible for watching the event queue,
  410  * dequeueing records, converting them to BSM format, and committing them to
  411  * disk.  In order to minimize lock thrashing, records are dequeued in sets
  412  * to a thread-local work queue.
  413  *
  414  * Note: this means that the effect bound on the size of the pending record
  415  * queue is 2x the length of the global queue.
  416  */
  417 static void
  418 audit_worker(void *arg)
  419 {
  420         struct kaudit_queue ar_worklist;
  421         struct kaudit_record *ar;
  422         int lowater_signal;
  423 
  424         TAILQ_INIT(&ar_worklist);
  425         mtx_lock(&audit_mtx);
  426         while (1) {
  427                 mtx_assert(&audit_mtx, MA_OWNED);
  428 
  429                 /*
  430                  * Wait for a record.
  431                  */
  432                 while (TAILQ_EMPTY(&audit_q))
  433                         cv_wait(&audit_worker_cv, &audit_mtx);
  434 
  435                 /*
  436                  * If there are records in the global audit record queue,
  437                  * transfer them to a thread-local queue and process them
  438                  * one by one.  If we cross the low watermark threshold,
  439                  * signal any waiting processes that they may wake up and
  440                  * continue generating records.
  441                  */
  442                 lowater_signal = 0;
  443                 while ((ar = TAILQ_FIRST(&audit_q))) {
  444                         TAILQ_REMOVE(&audit_q, ar, k_q);
  445                         audit_q_len--;
  446                         if (audit_q_len == audit_qctrl.aq_lowater)
  447                                 lowater_signal++;
  448                         TAILQ_INSERT_TAIL(&ar_worklist, ar, k_q);
  449                 }
  450                 if (lowater_signal)
  451                         cv_broadcast(&audit_watermark_cv);
  452 
  453                 mtx_unlock(&audit_mtx);
  454                 while ((ar = TAILQ_FIRST(&ar_worklist))) {
  455                         TAILQ_REMOVE(&ar_worklist, ar, k_q);
  456                         audit_worker_process_record(ar);
  457                         audit_free(ar);
  458                 }
  459                 mtx_lock(&audit_mtx);
  460         }
  461 }
  462 
  463 /*
  464  * audit_rotate_vnode() is called by a user or kernel thread to configure or
  465  * de-configure auditing on a vnode.  The arguments are the replacement
  466  * credential (referenced) and vnode (referenced and opened) to substitute
  467  * for the current credential and vnode, if any.  If either is set to NULL,
  468  * both should be NULL, and this is used to indicate that audit is being
  469  * disabled.  Any previous cred/vnode will be closed and freed.  We re-enable
  470  * generating rotation requests to auditd.
  471  */
  472 void
  473 audit_rotate_vnode(struct ucred *cred, struct vnode *vp)
  474 {
  475         struct ucred *old_audit_cred;
  476         struct vnode *old_audit_vp;
  477         struct vattr vattr;
  478 
  479         KASSERT((cred != NULL && vp != NULL) || (cred == NULL && vp == NULL),
  480             ("audit_rotate_vnode: cred %p vp %p", cred, vp));
  481 
  482         if (vp != NULL) {
  483                 vn_lock(vp, LK_SHARED | LK_RETRY);
  484                 if (VOP_GETATTR(vp, &vattr, cred) != 0)
  485                         vattr.va_size = 0;
  486                 VOP_UNLOCK(vp, 0);
  487         } else {
  488                 vattr.va_size = 0;
  489         }
  490 
  491         /*
  492          * Rotate the vnode/cred, and clear the rotate flag so that we will
  493          * send a rotate trigger if the new file fills.
  494          */
  495         AUDIT_WORKER_LOCK();
  496         old_audit_cred = audit_cred;
  497         old_audit_vp = audit_vp;
  498         audit_cred = cred;
  499         audit_vp = vp;
  500         audit_size = vattr.va_size;
  501         audit_file_rotate_wait = 0;
  502         audit_enabled = (audit_vp != NULL);
  503         AUDIT_WORKER_UNLOCK();
  504 
  505         /*
  506          * If there was an old vnode/credential, close and free.
  507          */
  508         if (old_audit_vp != NULL) {
  509                 vn_close(old_audit_vp, AUDIT_CLOSE_FLAGS, old_audit_cred,
  510                     curthread);
  511                 crfree(old_audit_cred);
  512         }
  513 }
  514 
  515 void
  516 audit_worker_init(void)
  517 {
  518         int error;
  519 
  520         AUDIT_WORKER_LOCK_INIT();
  521         error = kproc_create(audit_worker, NULL, &audit_thread, RFHIGHPID,
  522             0, "audit");
  523         if (error)
  524                 panic("audit_worker_init: kproc_create returned %d", error);
  525 }

Cache object: b2778a3d47c6699791b326418482c6df


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.