/*- * SPDX-License-Identifier: BSD-2-Clause * * Copyright (c) 2011, David E. O'Brien. * Copyright (c) 2009-2011, Juniper Networks, Inc. * Copyright (c) 2015-2016, EMC Corp. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY JUNIPER NETWORKS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL JUNIPER NETWORKS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include __FBSDID("$FreeBSD$"); #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "filemon.h" #if defined(COMPAT_FREEBSD32) #include #include #include #endif static d_close_t filemon_close; static d_ioctl_t filemon_ioctl; static d_open_t filemon_open; static struct cdevsw filemon_cdevsw = { .d_version = D_VERSION, .d_close = filemon_close, .d_ioctl = filemon_ioctl, .d_open = filemon_open, .d_name = "filemon", }; MALLOC_DECLARE(M_FILEMON); MALLOC_DEFINE(M_FILEMON, "filemon", "File access monitor"); /* * The filemon->lock protects several things currently: * - fname1/fname2/msgbufr are pre-allocated and used per syscall * for logging and copyins rather than stack variables. * - Serializing the filemon's log output. * - Preventing inheritance or removal of the filemon into proc.p_filemon. */ struct filemon { struct sx lock; /* Lock for this filemon. */ struct file *fp; /* Output file pointer. */ struct ucred *cred; /* Credential of tracer. */ char fname1[MAXPATHLEN]; /* Temporary filename buffer. */ char fname2[MAXPATHLEN]; /* Temporary filename buffer. */ char msgbufr[2*MAXPATHLEN + 100]; /* Output message buffer. */ int error; /* Log write error, returned on close(2). */ u_int refcnt; /* Pointer reference count. */ u_int proccnt; /* Process count. */ }; static struct cdev *filemon_dev; static void filemon_output(struct filemon *filemon, char *msg, size_t len); static __inline struct filemon * filemon_acquire(struct filemon *filemon) { if (filemon != NULL) refcount_acquire(&filemon->refcnt); return (filemon); } /* * Release a reference and free on the last one. */ static void filemon_release(struct filemon *filemon) { if (refcount_release(&filemon->refcnt) == 0) return; /* * There are valid cases of releasing while locked, such as in * filemon_untrack_processes, but none which are done where there * is not at least 1 reference remaining. */ sx_assert(&filemon->lock, SA_UNLOCKED); if (filemon->cred != NULL) crfree(filemon->cred); sx_destroy(&filemon->lock); free(filemon, M_FILEMON); } /* * Acquire the proc's p_filemon reference and lock the filemon. * The proc's p_filemon may not match this filemon on return. */ static struct filemon * filemon_proc_get(struct proc *p) { struct filemon *filemon; if (p->p_filemon == NULL) return (NULL); PROC_LOCK(p); filemon = filemon_acquire(p->p_filemon); PROC_UNLOCK(p); if (filemon == NULL) return (NULL); /* * The p->p_filemon may have changed by now. That case is handled * by the exit and fork hooks and filemon_attach_proc specially. */ sx_xlock(&filemon->lock); return (filemon); } /* Remove and release the filemon on the given process. */ static void filemon_proc_drop(struct proc *p) { struct filemon *filemon; KASSERT(p->p_filemon != NULL, ("%s: proc %p NULL p_filemon", __func__, p)); sx_assert(&p->p_filemon->lock, SA_XLOCKED); PROC_LOCK(p); filemon = p->p_filemon; p->p_filemon = NULL; --filemon->proccnt; PROC_UNLOCK(p); /* * This should not be the last reference yet. filemon_release() * cannot be called with filemon locked, which the caller expects * will stay locked. */ KASSERT(filemon->refcnt > 1, ("%s: proc %p dropping filemon %p " "with last reference", __func__, p, filemon)); filemon_release(filemon); } /* Unlock and release the filemon. */ static __inline void filemon_drop(struct filemon *filemon) { sx_xunlock(&filemon->lock); filemon_release(filemon); } #include "filemon_wrapper.c" static void filemon_write_header(struct filemon *filemon) { int len; struct timeval now; getmicrotime(&now); len = snprintf(filemon->msgbufr, sizeof(filemon->msgbufr), "# filemon version %d\n# Target pid %d\n# Start %ju.%06ju\nV %d\n", FILEMON_VERSION, curproc->p_pid, (uintmax_t)now.tv_sec, (uintmax_t)now.tv_usec, FILEMON_VERSION); if (len < sizeof(filemon->msgbufr)) filemon_output(filemon, filemon->msgbufr, len); } /* * Invalidate the passed filemon in all processes. */ static void filemon_untrack_processes(struct filemon *filemon) { struct proc *p; sx_assert(&filemon->lock, SA_XLOCKED); /* Avoid allproc loop if there is no need. */ if (filemon->proccnt == 0) return; /* * Processes in this list won't go away while here since * filemon_event_process_exit() will lock on filemon->lock * which we hold. */ sx_slock(&allproc_lock); FOREACH_PROC_IN_SYSTEM(p) { /* * No PROC_LOCK is needed to compare here since it is * guaranteed to not change since we have its filemon * locked. Everything that changes this p_filemon will * be locked on it. */ if (p->p_filemon == filemon) filemon_proc_drop(p); } sx_sunlock(&allproc_lock); /* * It's possible some references were acquired but will be * dropped shortly as they are restricted from being * inherited. There is at least the reference in cdevpriv remaining. */ KASSERT(filemon->refcnt > 0, ("%s: filemon %p should have " "references still.", __func__, filemon)); KASSERT(filemon->proccnt == 0, ("%s: filemon %p should not have " "attached procs still.", __func__, filemon)); } /* * Close out the log. */ static void filemon_close_log(struct filemon *filemon) { struct file *fp; struct timeval now; size_t len; sx_assert(&filemon->lock, SA_XLOCKED); if (filemon->fp == NULL) return; getmicrotime(&now); len = snprintf(filemon->msgbufr, sizeof(filemon->msgbufr), "# Stop %ju.%06ju\n# Bye bye\n", (uintmax_t)now.tv_sec, (uintmax_t)now.tv_usec); if (len < sizeof(filemon->msgbufr)) filemon_output(filemon, filemon->msgbufr, len); fp = filemon->fp; filemon->fp = NULL; sx_xunlock(&filemon->lock); fdrop(fp, curthread); sx_xlock(&filemon->lock); } /* * The devfs file is being closed. Untrace all processes. It is possible * filemon_close/close(2) was not called. */ static void filemon_dtr(void *data) { struct filemon *filemon = data; if (filemon == NULL) return; sx_xlock(&filemon->lock); /* * Detach the filemon. It cannot be inherited after this. */ filemon_untrack_processes(filemon); filemon_close_log(filemon); filemon_drop(filemon); } /* Attach the filemon to the process. */ static int filemon_attach_proc(struct filemon *filemon, struct proc *p) { struct filemon *filemon2; sx_assert(&filemon->lock, SA_XLOCKED); PROC_LOCK_ASSERT(p, MA_OWNED); KASSERT((p->p_flag & P_WEXIT) == 0, ("%s: filemon %p attaching to exiting process %p", __func__, filemon, p)); KASSERT((p->p_flag & P_INEXEC) == 0, ("%s: filemon %p attaching to execing process %p", __func__, filemon, p)); if (p->p_filemon == filemon) return (0); /* * Don't allow truncating other process traces. It is * not really intended to trace procs other than curproc * anyhow. */ if (p->p_filemon != NULL && p != curproc) return (EBUSY); /* * Historic behavior of filemon has been to let a child initiate * tracing on itself and cease existing tracing. Bmake * .META + .MAKE relies on this. It is only relevant for attaching to * curproc. */ while (p->p_filemon != NULL) { PROC_UNLOCK(p); sx_xunlock(&filemon->lock); while ((filemon2 = filemon_proc_get(p)) != NULL) { /* It may have changed. */ if (p->p_filemon == filemon2) filemon_proc_drop(p); filemon_drop(filemon2); } sx_xlock(&filemon->lock); PROC_LOCK(p); /* * It may have been attached to, though unlikely. * Try again if needed. */ } KASSERT(p->p_filemon == NULL, ("%s: proc %p didn't detach filemon %p", __func__, p, p->p_filemon)); p->p_filemon = filemon_acquire(filemon); ++filemon->proccnt; return (0); } static int filemon_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag __unused, struct thread *td) { struct filemon *filemon; struct file *fp; struct proc *p; int error; if ((error = devfs_get_cdevpriv((void **) &filemon)) != 0) return (error); sx_xlock(&filemon->lock); switch (cmd) { /* Set the output file descriptor. */ case FILEMON_SET_FD: if (filemon->fp != NULL) { error = EEXIST; break; } error = fget_write(td, *(int *)data, &cap_pwrite_rights, &fp); if (error == 0) { /* * The filemon handle may be passed to another process, * so the underlying file handle must support this. */ if ((fp->f_ops->fo_flags & DFLAG_PASSABLE) == 0) { fdrop(fp, curthread); error = EINVAL; break; } filemon->fp = fp; /* Write the file header. */ filemon_write_header(filemon); } break; /* Set the monitored process ID. */ case FILEMON_SET_PID: /* Invalidate any existing processes already set. */ filemon_untrack_processes(filemon); error = pget(*((pid_t *)data), PGET_CANDEBUG | PGET_NOTWEXIT | PGET_NOTINEXEC, &p); if (error == 0) { KASSERT(p->p_filemon != filemon, ("%s: proc %p didn't untrack filemon %p", __func__, p, filemon)); error = filemon_attach_proc(filemon, p); PROC_UNLOCK(p); } break; default: error = EINVAL; break; } sx_xunlock(&filemon->lock); return (error); } static int filemon_open(struct cdev *dev, int oflags __unused, int devtype __unused, struct thread *td) { int error; struct filemon *filemon; filemon = malloc(sizeof(*filemon), M_FILEMON, M_WAITOK | M_ZERO); sx_init(&filemon->lock, "filemon"); refcount_init(&filemon->refcnt, 1); filemon->cred = crhold(td->td_ucred); error = devfs_set_cdevpriv(filemon, filemon_dtr); if (error != 0) filemon_release(filemon); return (error); } /* Called on close of last devfs file handle, before filemon_dtr(). */ static int filemon_close(struct cdev *dev __unused, int flag __unused, int fmt __unused, struct thread *td __unused) { struct filemon *filemon; int error; if ((error = devfs_get_cdevpriv((void **) &filemon)) != 0) return (error); sx_xlock(&filemon->lock); filemon_close_log(filemon); error = filemon->error; sx_xunlock(&filemon->lock); /* * Processes are still being traced but won't log anything * now. After this call returns filemon_dtr() is called which * will detach processes. */ return (error); } static void filemon_load(void *dummy __unused) { /* Install the syscall wrappers. */ filemon_wrapper_install(); filemon_dev = make_dev(&filemon_cdevsw, 0, UID_ROOT, GID_WHEEL, 0666, "filemon"); } static int filemon_unload(void) { destroy_dev(filemon_dev); filemon_wrapper_deinstall(); return (0); } static int filemon_modevent(module_t mod __unused, int type, void *data) { int error = 0; switch (type) { case MOD_LOAD: filemon_load(data); break; case MOD_UNLOAD: error = filemon_unload(); break; case MOD_QUIESCE: /* * The wrapper implementation is unsafe for reliable unload. * Require forcing an unload. */ error = EBUSY; break; case MOD_SHUTDOWN: break; default: error = EOPNOTSUPP; break; } return (error); } DEV_MODULE(filemon, filemon_modevent, NULL); MODULE_VERSION(filemon, 1);