1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
3 *
4 * Copyright (c) 2011, David E. O'Brien.
5 * Copyright (c) 2009-2011, Juniper Networks, Inc.
6 * Copyright (c) 2015-2016, EMC Corp.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 *
18 * THIS SOFTWARE IS PROVIDED BY JUNIPER NETWORKS AND CONTRIBUTORS ``AS IS'' AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL JUNIPER NETWORKS OR CONTRIBUTORS BE LIABLE
22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 * SUCH DAMAGE.
29 */
30
31 #include <sys/param.h>
32 #include <sys/file.h>
33 #include <sys/systm.h>
34 #include <sys/buf.h>
35 #include <sys/capsicum.h>
36 #include <sys/condvar.h>
37 #include <sys/conf.h>
38 #include <sys/fcntl.h>
39 #include <sys/ioccom.h>
40 #include <sys/kernel.h>
41 #include <sys/lock.h>
42 #include <sys/malloc.h>
43 #include <sys/module.h>
44 #include <sys/poll.h>
45 #include <sys/proc.h>
46 #include <sys/sx.h>
47 #include <sys/syscall.h>
48 #include <sys/sysent.h>
49 #include <sys/sysproto.h>
50 #include <sys/uio.h>
51
52 #include "filemon.h"
53
54 #if defined(COMPAT_FREEBSD32)
55 #include <compat/freebsd32/freebsd32_syscall.h>
56 #include <compat/freebsd32/freebsd32_proto.h>
57 #include <compat/freebsd32/freebsd32_util.h>
58 #endif
59
60 static d_close_t filemon_close;
61 static d_ioctl_t filemon_ioctl;
62 static d_open_t filemon_open;
63
64 static struct cdevsw filemon_cdevsw = {
65 .d_version = D_VERSION,
66 .d_close = filemon_close,
67 .d_ioctl = filemon_ioctl,
68 .d_open = filemon_open,
69 .d_name = "filemon",
70 };
71
72 MALLOC_DECLARE(M_FILEMON);
73 MALLOC_DEFINE(M_FILEMON, "filemon", "File access monitor");
74
75 /*
76 * The filemon->lock protects several things currently:
77 * - fname1/fname2/msgbufr are pre-allocated and used per syscall
78 * for logging and copyins rather than stack variables.
79 * - Serializing the filemon's log output.
80 * - Preventing inheritance or removal of the filemon into proc.p_filemon.
81 */
82 struct filemon {
83 struct sx lock; /* Lock for this filemon. */
84 struct file *fp; /* Output file pointer. */
85 struct ucred *cred; /* Credential of tracer. */
86 char fname1[MAXPATHLEN]; /* Temporary filename buffer. */
87 char fname2[MAXPATHLEN]; /* Temporary filename buffer. */
88 char msgbufr[2*MAXPATHLEN + 100]; /* Output message buffer. */
89 int error; /* Log write error, returned on close(2). */
90 u_int refcnt; /* Pointer reference count. */
91 u_int proccnt; /* Process count. */
92 };
93
94 static struct cdev *filemon_dev;
95 static void filemon_output(struct filemon *filemon, char *msg, size_t len);
96
97 static __inline struct filemon *
filemon_acquire(struct filemon * filemon)98 filemon_acquire(struct filemon *filemon)
99 {
100
101 if (filemon != NULL)
102 refcount_acquire(&filemon->refcnt);
103 return (filemon);
104 }
105
106 /*
107 * Release a reference and free on the last one.
108 */
109 static void
filemon_release(struct filemon * filemon)110 filemon_release(struct filemon *filemon)
111 {
112
113 if (refcount_release(&filemon->refcnt) == 0)
114 return;
115 /*
116 * There are valid cases of releasing while locked, such as in
117 * filemon_untrack_processes, but none which are done where there
118 * is not at least 1 reference remaining.
119 */
120 sx_assert(&filemon->lock, SA_UNLOCKED);
121
122 if (filemon->cred != NULL)
123 crfree(filemon->cred);
124 sx_destroy(&filemon->lock);
125 free(filemon, M_FILEMON);
126 }
127
128 /*
129 * Acquire the proc's p_filemon reference and lock the filemon.
130 * The proc's p_filemon may not match this filemon on return.
131 */
132 static struct filemon *
filemon_proc_get(struct proc * p)133 filemon_proc_get(struct proc *p)
134 {
135 struct filemon *filemon;
136
137 if (p->p_filemon == NULL)
138 return (NULL);
139 PROC_LOCK(p);
140 filemon = filemon_acquire(p->p_filemon);
141 PROC_UNLOCK(p);
142
143 if (filemon == NULL)
144 return (NULL);
145 /*
146 * The p->p_filemon may have changed by now. That case is handled
147 * by the exit and fork hooks and filemon_attach_proc specially.
148 */
149 sx_xlock(&filemon->lock);
150 return (filemon);
151 }
152
153 /* Remove and release the filemon on the given process. */
154 static void
filemon_proc_drop(struct proc * p)155 filemon_proc_drop(struct proc *p)
156 {
157 struct filemon *filemon;
158
159 KASSERT(p->p_filemon != NULL, ("%s: proc %p NULL p_filemon",
160 __func__, p));
161 sx_assert(&p->p_filemon->lock, SA_XLOCKED);
162 PROC_LOCK(p);
163 filemon = p->p_filemon;
164 p->p_filemon = NULL;
165 --filemon->proccnt;
166 PROC_UNLOCK(p);
167 /*
168 * This should not be the last reference yet. filemon_release()
169 * cannot be called with filemon locked, which the caller expects
170 * will stay locked.
171 */
172 KASSERT(filemon->refcnt > 1, ("%s: proc %p dropping filemon %p "
173 "with last reference", __func__, p, filemon));
174 filemon_release(filemon);
175 }
176
177 /* Unlock and release the filemon. */
178 static __inline void
filemon_drop(struct filemon * filemon)179 filemon_drop(struct filemon *filemon)
180 {
181
182 sx_xunlock(&filemon->lock);
183 filemon_release(filemon);
184 }
185
186 #include "filemon_wrapper.c"
187
188 static void
filemon_write_header(struct filemon * filemon)189 filemon_write_header(struct filemon *filemon)
190 {
191 int len;
192 struct timeval now;
193
194 getmicrotime(&now);
195
196 len = snprintf(filemon->msgbufr, sizeof(filemon->msgbufr),
197 "# filemon version %d\n# Target pid %d\n# Start %ju.%06ju\nV %d\n",
198 FILEMON_VERSION, curproc->p_pid, (uintmax_t)now.tv_sec,
199 (uintmax_t)now.tv_usec, FILEMON_VERSION);
200 if (len < sizeof(filemon->msgbufr))
201 filemon_output(filemon, filemon->msgbufr, len);
202 }
203
204 /*
205 * Invalidate the passed filemon in all processes.
206 */
207 static void
filemon_untrack_processes(struct filemon * filemon)208 filemon_untrack_processes(struct filemon *filemon)
209 {
210 struct proc *p;
211
212 sx_assert(&filemon->lock, SA_XLOCKED);
213
214 /* Avoid allproc loop if there is no need. */
215 if (filemon->proccnt == 0)
216 return;
217
218 /*
219 * Processes in this list won't go away while here since
220 * filemon_event_process_exit() will lock on filemon->lock
221 * which we hold.
222 */
223 sx_slock(&allproc_lock);
224 FOREACH_PROC_IN_SYSTEM(p) {
225 /*
226 * No PROC_LOCK is needed to compare here since it is
227 * guaranteed to not change since we have its filemon
228 * locked. Everything that changes this p_filemon will
229 * be locked on it.
230 */
231 if (p->p_filemon == filemon)
232 filemon_proc_drop(p);
233 }
234 sx_sunlock(&allproc_lock);
235
236 /*
237 * It's possible some references were acquired but will be
238 * dropped shortly as they are restricted from being
239 * inherited. There is at least the reference in cdevpriv remaining.
240 */
241 KASSERT(filemon->refcnt > 0, ("%s: filemon %p should have "
242 "references still.", __func__, filemon));
243 KASSERT(filemon->proccnt == 0, ("%s: filemon %p should not have "
244 "attached procs still.", __func__, filemon));
245 }
246
247 /*
248 * Close out the log.
249 */
250 static void
filemon_close_log(struct filemon * filemon)251 filemon_close_log(struct filemon *filemon)
252 {
253 struct file *fp;
254 struct timeval now;
255 size_t len;
256
257 sx_assert(&filemon->lock, SA_XLOCKED);
258 if (filemon->fp == NULL)
259 return;
260
261 getmicrotime(&now);
262
263 len = snprintf(filemon->msgbufr,
264 sizeof(filemon->msgbufr),
265 "# Stop %ju.%06ju\n# Bye bye\n",
266 (uintmax_t)now.tv_sec, (uintmax_t)now.tv_usec);
267
268 if (len < sizeof(filemon->msgbufr))
269 filemon_output(filemon, filemon->msgbufr, len);
270 fp = filemon->fp;
271 filemon->fp = NULL;
272
273 sx_xunlock(&filemon->lock);
274 fdrop(fp, curthread);
275 sx_xlock(&filemon->lock);
276 }
277
278 /*
279 * The devfs file is being closed. Untrace all processes. It is possible
280 * filemon_close/close(2) was not called.
281 */
282 static void
filemon_dtr(void * data)283 filemon_dtr(void *data)
284 {
285 struct filemon *filemon = data;
286
287 if (filemon == NULL)
288 return;
289
290 sx_xlock(&filemon->lock);
291 /*
292 * Detach the filemon. It cannot be inherited after this.
293 */
294 filemon_untrack_processes(filemon);
295 filemon_close_log(filemon);
296 filemon_drop(filemon);
297 }
298
299 /* Attach the filemon to the process. */
300 static int
filemon_attach_proc(struct filemon * filemon,struct proc * p)301 filemon_attach_proc(struct filemon *filemon, struct proc *p)
302 {
303 struct filemon *filemon2;
304
305 sx_assert(&filemon->lock, SA_XLOCKED);
306 PROC_LOCK_ASSERT(p, MA_OWNED);
307 KASSERT((p->p_flag & P_WEXIT) == 0,
308 ("%s: filemon %p attaching to exiting process %p",
309 __func__, filemon, p));
310 KASSERT((p->p_flag & P_INEXEC) == 0,
311 ("%s: filemon %p attaching to execing process %p",
312 __func__, filemon, p));
313
314 if (p->p_filemon == filemon)
315 return (0);
316 /*
317 * Don't allow truncating other process traces. It is
318 * not really intended to trace procs other than curproc
319 * anyhow.
320 */
321 if (p->p_filemon != NULL && p != curproc)
322 return (EBUSY);
323 /*
324 * Historic behavior of filemon has been to let a child initiate
325 * tracing on itself and cease existing tracing. Bmake
326 * .META + .MAKE relies on this. It is only relevant for attaching to
327 * curproc.
328 */
329 while (p->p_filemon != NULL) {
330 PROC_UNLOCK(p);
331 sx_xunlock(&filemon->lock);
332 while ((filemon2 = filemon_proc_get(p)) != NULL) {
333 /* It may have changed. */
334 if (p->p_filemon == filemon2)
335 filemon_proc_drop(p);
336 filemon_drop(filemon2);
337 }
338 sx_xlock(&filemon->lock);
339 PROC_LOCK(p);
340 /*
341 * It may have been attached to, though unlikely.
342 * Try again if needed.
343 */
344 }
345
346 KASSERT(p->p_filemon == NULL,
347 ("%s: proc %p didn't detach filemon %p", __func__, p,
348 p->p_filemon));
349 p->p_filemon = filemon_acquire(filemon);
350 ++filemon->proccnt;
351
352 return (0);
353 }
354
355 static int
filemon_ioctl(struct cdev * dev,u_long cmd,caddr_t data,int flag __unused,struct thread * td)356 filemon_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag __unused,
357 struct thread *td)
358 {
359 struct filemon *filemon;
360 struct file *fp;
361 struct proc *p;
362 int error;
363
364 if ((error = devfs_get_cdevpriv((void **) &filemon)) != 0)
365 return (error);
366
367 sx_xlock(&filemon->lock);
368
369 switch (cmd) {
370 /* Set the output file descriptor. */
371 case FILEMON_SET_FD:
372 if (filemon->fp != NULL) {
373 error = EEXIST;
374 break;
375 }
376
377 error = fget_write(td, *(int *)data, &cap_pwrite_rights, &fp);
378 if (error == 0) {
379 /*
380 * The filemon handle may be passed to another process,
381 * so the underlying file handle must support this.
382 */
383 if ((fp->f_ops->fo_flags & DFLAG_PASSABLE) == 0) {
384 fdrop(fp, curthread);
385 error = EINVAL;
386 break;
387 }
388 filemon->fp = fp;
389 /* Write the file header. */
390 filemon_write_header(filemon);
391 }
392 break;
393
394 /* Set the monitored process ID. */
395 case FILEMON_SET_PID:
396 /* Invalidate any existing processes already set. */
397 filemon_untrack_processes(filemon);
398
399 error = pget(*((pid_t *)data),
400 PGET_CANDEBUG | PGET_NOTWEXIT | PGET_NOTINEXEC, &p);
401 if (error == 0) {
402 KASSERT(p->p_filemon != filemon,
403 ("%s: proc %p didn't untrack filemon %p",
404 __func__, p, filemon));
405 error = filemon_attach_proc(filemon, p);
406 PROC_UNLOCK(p);
407 }
408 break;
409
410 default:
411 error = EINVAL;
412 break;
413 }
414
415 sx_xunlock(&filemon->lock);
416 return (error);
417 }
418
419 static int
filemon_open(struct cdev * dev,int oflags __unused,int devtype __unused,struct thread * td)420 filemon_open(struct cdev *dev, int oflags __unused, int devtype __unused,
421 struct thread *td)
422 {
423 int error;
424 struct filemon *filemon;
425
426 filemon = malloc(sizeof(*filemon), M_FILEMON,
427 M_WAITOK | M_ZERO);
428 sx_init(&filemon->lock, "filemon");
429 refcount_init(&filemon->refcnt, 1);
430 filemon->cred = crhold(td->td_ucred);
431
432 error = devfs_set_cdevpriv(filemon, filemon_dtr);
433 if (error != 0)
434 filemon_release(filemon);
435
436 return (error);
437 }
438
439 /* Called on close of last devfs file handle, before filemon_dtr(). */
440 static int
filemon_close(struct cdev * dev __unused,int flag __unused,int fmt __unused,struct thread * td __unused)441 filemon_close(struct cdev *dev __unused, int flag __unused, int fmt __unused,
442 struct thread *td __unused)
443 {
444 struct filemon *filemon;
445 int error;
446
447 if ((error = devfs_get_cdevpriv((void **) &filemon)) != 0)
448 return (error);
449
450 sx_xlock(&filemon->lock);
451 filemon_close_log(filemon);
452 error = filemon->error;
453 sx_xunlock(&filemon->lock);
454 /*
455 * Processes are still being traced but won't log anything
456 * now. After this call returns filemon_dtr() is called which
457 * will detach processes.
458 */
459
460 return (error);
461 }
462
463 static void
filemon_load(void * dummy __unused)464 filemon_load(void *dummy __unused)
465 {
466
467 /* Install the syscall wrappers. */
468 filemon_wrapper_install();
469
470 filemon_dev = make_dev(&filemon_cdevsw, 0, UID_ROOT, GID_WHEEL, 0666,
471 "filemon");
472 }
473
474 static int
filemon_unload(void)475 filemon_unload(void)
476 {
477
478 destroy_dev(filemon_dev);
479 filemon_wrapper_deinstall();
480
481 return (0);
482 }
483
484 static int
filemon_modevent(module_t mod __unused,int type,void * data)485 filemon_modevent(module_t mod __unused, int type, void *data)
486 {
487 int error = 0;
488
489 switch (type) {
490 case MOD_LOAD:
491 filemon_load(data);
492 break;
493
494 case MOD_UNLOAD:
495 error = filemon_unload();
496 break;
497
498 case MOD_QUIESCE:
499 /*
500 * The wrapper implementation is unsafe for reliable unload.
501 * Require forcing an unload.
502 */
503 error = EBUSY;
504 break;
505
506 case MOD_SHUTDOWN:
507 break;
508
509 default:
510 error = EOPNOTSUPP;
511 break;
512
513 }
514
515 return (error);
516 }
517
518 DEV_MODULE(filemon, filemon_modevent, NULL);
519 MODULE_VERSION(filemon, 1);
520