/*- * SPDX-License-Identifier: BSD-2-Clause * * Copyright (c) 2011, David E. O'Brien. * Copyright (c) 2009-2011, Juniper Networks, Inc. * Copyright (c) 2015-2016, EMC Corp. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY JUNIPER NETWORKS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL JUNIPER NETWORKS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include #include #include #include #include #include #include #include #include static void filemon_output_event(struct filemon *filemon, const char *fmt, ...) __printflike(2, 3); static eventhandler_tag filemon_exec_tag; static eventhandler_tag filemon_exit_tag; static eventhandler_tag filemon_fork_tag; static void filemon_output(struct filemon *filemon, char *msg, size_t len) { struct uio auio; struct iovec aiov; int error; if (filemon->fp == NULL) return; aiov.iov_base = msg; aiov.iov_len = len; auio.uio_iov = &aiov; auio.uio_iovcnt = 1; auio.uio_resid = len; auio.uio_segflg = UIO_SYSSPACE; auio.uio_rw = UIO_WRITE; auio.uio_td = curthread; auio.uio_offset = (off_t) -1; if (filemon->fp->f_type == DTYPE_VNODE) bwillwrite(); error = fo_write(filemon->fp, &auio, filemon->cred, 0, curthread); if (error != 0 && filemon->error == 0) filemon->error = error; } static void filemon_output_event(struct filemon *filemon, const char *fmt, ...) { va_list ap; size_t len; va_start(ap, fmt); len = vsnprintf(filemon->msgbufr, sizeof(filemon->msgbufr), fmt, ap); va_end(ap); /* The event is truncated but still worth logging. */ if (len >= sizeof(filemon->msgbufr)) len = sizeof(filemon->msgbufr) - 1; filemon_output(filemon, filemon->msgbufr, len); } static int filemon_wrapper_chdir(struct thread *td, struct chdir_args *uap) { int error, ret; struct filemon *filemon; if ((ret = sys_chdir(td, uap)) == 0) { if ((filemon = filemon_proc_get(curproc)) != NULL) { if ((error = copyinstr(uap->path, filemon->fname1, sizeof(filemon->fname1), NULL)) != 0) { filemon->error = error; goto copyfail; } filemon_output_event(filemon, "C %d %s\n", curproc->p_pid, filemon->fname1); copyfail: filemon_drop(filemon); } } return (ret); } static void filemon_event_process_exec(void *arg __unused, struct proc *p, struct image_params *imgp) { struct filemon *filemon; if ((filemon = filemon_proc_get(p)) != NULL) { filemon_output_event(filemon, "E %d %s\n", p->p_pid, imgp->execpath != NULL ? imgp->execpath : ""); /* If the credentials changed then cease tracing. */ if (imgp->newcred != NULL && imgp->credential_setid && priv_check_cred(filemon->cred, PRIV_DEBUG_DIFFCRED) != 0) { /* * It may have changed to NULL already, but * will not be re-attached by anything else. */ if (p->p_filemon != NULL) { KASSERT(p->p_filemon == filemon, ("%s: proc %p didn't have expected" " filemon %p", __func__, p, filemon)); filemon_proc_drop(p); } } filemon_drop(filemon); } } static void _filemon_wrapper_openat(struct thread *td, const char *upath, int flags, int fd) { int error; struct file *fp; struct filemon *filemon; char *atpath, *freepath; cap_rights_t rights; if ((filemon = filemon_proc_get(curproc)) != NULL) { atpath = ""; freepath = NULL; fp = NULL; if ((error = copyinstr(upath, filemon->fname1, sizeof(filemon->fname1), NULL)) != 0) { filemon->error = error; goto copyfail; } if (filemon->fname1[0] != '/' && fd != AT_FDCWD) { /* * rats - we cannot do too much about this. * the trace should show a dir we read * recently.. output an A record as a clue * until we can do better. * XXX: This may be able to come out with * the namecache lookup now. */ filemon_output_event(filemon, "A %d %s\n", curproc->p_pid, filemon->fname1); /* * Try to resolve the path from the vnode using the * namecache. It may be inaccurate, but better * than nothing. */ if (getvnode(td, fd, cap_rights_init_one(&rights, CAP_LOOKUP), &fp) == 0) { vn_fullpath(fp->f_vnode, &atpath, &freepath); } } if (flags & O_RDWR) { /* * We'll get the W record below, but need * to also output an R to distinguish from * O_WRONLY. */ filemon_output_event(filemon, "R %d %s%s%s\n", curproc->p_pid, atpath, atpath[0] != '\0' ? "/" : "", filemon->fname1); } filemon_output_event(filemon, "%c %d %s%s%s\n", (flags & O_ACCMODE) ? 'W':'R', curproc->p_pid, atpath, atpath[0] != '\0' ? "/" : "", filemon->fname1); copyfail: filemon_drop(filemon); if (fp != NULL) fdrop(fp, td); free(freepath, M_TEMP); } } static int filemon_wrapper_open(struct thread *td, struct open_args *uap) { int ret; if ((ret = sys_open(td, uap)) == 0) _filemon_wrapper_openat(td, uap->path, uap->flags, AT_FDCWD); return (ret); } static int filemon_wrapper_openat(struct thread *td, struct openat_args *uap) { int ret; if ((ret = sys_openat(td, uap)) == 0) _filemon_wrapper_openat(td, uap->path, uap->flag, uap->fd); return (ret); } static int filemon_wrapper_rename(struct thread *td, struct rename_args *uap) { int error, ret; struct filemon *filemon; if ((ret = sys_rename(td, uap)) == 0) { if ((filemon = filemon_proc_get(curproc)) != NULL) { if (((error = copyinstr(uap->from, filemon->fname1, sizeof(filemon->fname1), NULL)) != 0) || ((error = copyinstr(uap->to, filemon->fname2, sizeof(filemon->fname2), NULL)) != 0)) { filemon->error = error; goto copyfail; } filemon_output_event(filemon, "M %d '%s' '%s'\n", curproc->p_pid, filemon->fname1, filemon->fname2); copyfail: filemon_drop(filemon); } } return (ret); } static void _filemon_wrapper_link(struct thread *td, const char *upath1, const char *upath2) { struct filemon *filemon; int error; if ((filemon = filemon_proc_get(curproc)) != NULL) { if (((error = copyinstr(upath1, filemon->fname1, sizeof(filemon->fname1), NULL)) != 0) || ((error = copyinstr(upath2, filemon->fname2, sizeof(filemon->fname2), NULL)) != 0)) { filemon->error = error; goto copyfail; } filemon_output_event(filemon, "L %d '%s' '%s'\n", curproc->p_pid, filemon->fname1, filemon->fname2); copyfail: filemon_drop(filemon); } } static int filemon_wrapper_link(struct thread *td, struct link_args *uap) { int ret; if ((ret = sys_link(td, uap)) == 0) _filemon_wrapper_link(td, uap->path, uap->link); return (ret); } static int filemon_wrapper_symlink(struct thread *td, struct symlink_args *uap) { int ret; if ((ret = sys_symlink(td, uap)) == 0) _filemon_wrapper_link(td, uap->path, uap->link); return (ret); } static int filemon_wrapper_linkat(struct thread *td, struct linkat_args *uap) { int ret; if ((ret = sys_linkat(td, uap)) == 0) _filemon_wrapper_link(td, uap->path1, uap->path2); return (ret); } static void filemon_event_process_exit(void *arg __unused, struct proc *p) { struct filemon *filemon; if ((filemon = filemon_proc_get(p)) != NULL) { filemon_output_event(filemon, "X %d %d %d\n", p->p_pid, p->p_xexit, p->p_xsig); /* * filemon_untrack_processes() may have dropped this p_filemon * already while in filemon_proc_get() before acquiring the * filemon lock. */ KASSERT(p->p_filemon == NULL || p->p_filemon == filemon, ("%s: p %p was attached while exiting, expected " "filemon %p or NULL", __func__, p, filemon)); if (p->p_filemon == filemon) filemon_proc_drop(p); filemon_drop(filemon); } } static int filemon_wrapper_unlink(struct thread *td, struct unlink_args *uap) { int error, ret; struct filemon *filemon; if ((ret = sys_unlink(td, uap)) == 0) { if ((filemon = filemon_proc_get(curproc)) != NULL) { if ((error = copyinstr(uap->path, filemon->fname1, sizeof(filemon->fname1), NULL)) != 0) { filemon->error = error; goto copyfail; } filemon_output_event(filemon, "D %d %s\n", curproc->p_pid, filemon->fname1); copyfail: filemon_drop(filemon); } } return (ret); } static void filemon_event_process_fork(void *arg __unused, struct proc *p1, struct proc *p2, int flags __unused) { struct filemon *filemon; if ((filemon = filemon_proc_get(p1)) != NULL) { filemon_output_event(filemon, "F %d %d\n", p1->p_pid, p2->p_pid); /* * filemon_untrack_processes() or * filemon_ioctl(FILEMON_SET_PID) may have changed the parent's * p_filemon while in filemon_proc_get() before acquiring the * filemon lock. Only inherit if the parent is still traced by * this filemon. */ if (p1->p_filemon == filemon) { PROC_LOCK(p2); /* * It may have been attached to already by a new * filemon. */ if (p2->p_filemon == NULL) { p2->p_filemon = filemon_acquire(filemon); ++filemon->proccnt; } PROC_UNLOCK(p2); } filemon_drop(filemon); } } static void filemon_wrapper_install(void) { sysent[SYS_chdir].sy_call = (sy_call_t *) filemon_wrapper_chdir; sysent[SYS_open].sy_call = (sy_call_t *) filemon_wrapper_open; sysent[SYS_openat].sy_call = (sy_call_t *) filemon_wrapper_openat; sysent[SYS_rename].sy_call = (sy_call_t *) filemon_wrapper_rename; sysent[SYS_unlink].sy_call = (sy_call_t *) filemon_wrapper_unlink; sysent[SYS_link].sy_call = (sy_call_t *) filemon_wrapper_link; sysent[SYS_symlink].sy_call = (sy_call_t *) filemon_wrapper_symlink; sysent[SYS_linkat].sy_call = (sy_call_t *) filemon_wrapper_linkat; #if defined(COMPAT_FREEBSD32) freebsd32_sysent[FREEBSD32_SYS_chdir].sy_call = (sy_call_t *) filemon_wrapper_chdir; freebsd32_sysent[FREEBSD32_SYS_open].sy_call = (sy_call_t *) filemon_wrapper_open; freebsd32_sysent[FREEBSD32_SYS_openat].sy_call = (sy_call_t *) filemon_wrapper_openat; freebsd32_sysent[FREEBSD32_SYS_rename].sy_call = (sy_call_t *) filemon_wrapper_rename; freebsd32_sysent[FREEBSD32_SYS_unlink].sy_call = (sy_call_t *) filemon_wrapper_unlink; freebsd32_sysent[FREEBSD32_SYS_link].sy_call = (sy_call_t *) filemon_wrapper_link; freebsd32_sysent[FREEBSD32_SYS_symlink].sy_call = (sy_call_t *) filemon_wrapper_symlink; freebsd32_sysent[FREEBSD32_SYS_linkat].sy_call = (sy_call_t *) filemon_wrapper_linkat; #endif /* COMPAT_FREEBSD32 */ filemon_exec_tag = EVENTHANDLER_REGISTER(process_exec, filemon_event_process_exec, NULL, EVENTHANDLER_PRI_LAST); filemon_exit_tag = EVENTHANDLER_REGISTER(process_exit, filemon_event_process_exit, NULL, EVENTHANDLER_PRI_LAST); filemon_fork_tag = EVENTHANDLER_REGISTER(process_fork, filemon_event_process_fork, NULL, EVENTHANDLER_PRI_LAST); } static void filemon_wrapper_deinstall(void) { sysent[SYS_chdir].sy_call = (sy_call_t *)sys_chdir; sysent[SYS_open].sy_call = (sy_call_t *)sys_open; sysent[SYS_openat].sy_call = (sy_call_t *)sys_openat; sysent[SYS_rename].sy_call = (sy_call_t *)sys_rename; sysent[SYS_unlink].sy_call = (sy_call_t *)sys_unlink; sysent[SYS_link].sy_call = (sy_call_t *)sys_link; sysent[SYS_symlink].sy_call = (sy_call_t *)sys_symlink; sysent[SYS_linkat].sy_call = (sy_call_t *)sys_linkat; #if defined(COMPAT_FREEBSD32) freebsd32_sysent[FREEBSD32_SYS_chdir].sy_call = (sy_call_t *)sys_chdir; freebsd32_sysent[FREEBSD32_SYS_open].sy_call = (sy_call_t *)sys_open; freebsd32_sysent[FREEBSD32_SYS_openat].sy_call = (sy_call_t *)sys_openat; freebsd32_sysent[FREEBSD32_SYS_rename].sy_call = (sy_call_t *)sys_rename; freebsd32_sysent[FREEBSD32_SYS_unlink].sy_call = (sy_call_t *)sys_unlink; freebsd32_sysent[FREEBSD32_SYS_link].sy_call = (sy_call_t *)sys_link; freebsd32_sysent[FREEBSD32_SYS_symlink].sy_call = (sy_call_t *)sys_symlink; freebsd32_sysent[FREEBSD32_SYS_linkat].sy_call = (sy_call_t *)sys_linkat; #endif /* COMPAT_FREEBSD32 */ EVENTHANDLER_DEREGISTER(process_exec, filemon_exec_tag); EVENTHANDLER_DEREGISTER(process_exit, filemon_exit_tag); EVENTHANDLER_DEREGISTER(process_fork, filemon_fork_tag); }