xref: /freebsd/contrib/openbsm/bin/auditdistd/trail.c (revision 39ee7a7a6bdd1557b1c3532abf60d139798ac88b)
1 /*-
2  * Copyright (c) 2012 The FreeBSD Foundation
3  * All rights reserved.
4  *
5  * This software was developed by Pawel Jakub Dawidek under sponsorship from
6  * the FreeBSD Foundation.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer.
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
18  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
21  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27  * SUCH DAMAGE.
28  *
29  * $P4: //depot/projects/trustedbsd/openbsm/bin/auditdistd/trail.c#3 $
30  */
31 
32 #include <config/config.h>
33 
34 #include <sys/param.h>
35 #include <sys/stat.h>
36 
37 #include <dirent.h>
38 #include <errno.h>
39 #include <fcntl.h>
40 #include <stdbool.h>
41 #include <stdint.h>
42 #include <stdlib.h>
43 #include <string.h>
44 #include <unistd.h>
45 
46 #include <compat/compat.h>
47 #ifndef HAVE_STRLCPY
48 #include <compat/strlcpy.h>
49 #endif
50 #ifndef HAVE_FACCESSAT
51 #include "faccessat.h"
52 #endif
53 #ifndef HAVE_FSTATAT
54 #include "fstatat.h"
55 #endif
56 #ifndef HAVE_OPENAT
57 #include "openat.h"
58 #endif
59 #ifndef HAVE_UNLINKAT
60 #include "unlinkat.h"
61 #endif
62 
63 #include "pjdlog.h"
64 #include "trail.h"
65 
66 #define	TRAIL_MAGIC	0x79a11
67 struct trail {
68 	int	 tr_magic;
69 	/* Path usually to /var/audit/dist/ directory. */
70 	char	 tr_dirname[PATH_MAX];
71 	/* Descriptor to td_dirname directory. */
72 	DIR	*tr_dirfp;
73 	/* Path to audit trail file. */
74 	char	 tr_filename[PATH_MAX];
75 	/* Descriptor to audit trail file. */
76 	int	 tr_filefd;
77 };
78 
79 #define	HALF_LEN	14
80 
81 bool
82 trail_is_not_terminated(const char *filename)
83 {
84 
85 	return (strcmp(filename + HALF_LEN, ".not_terminated") == 0);
86 }
87 
88 bool
89 trail_is_crash_recovery(const char *filename)
90 {
91 
92 	return (strcmp(filename + HALF_LEN, ".crash_recovery") == 0);
93 }
94 
95 struct trail *
96 trail_new(const char *dirname, bool create)
97 {
98 	struct trail *trail;
99 
100 	trail = calloc(1, sizeof(*trail));
101 
102 	if (strlcpy(trail->tr_dirname, dirname, sizeof(trail->tr_dirname)) >=
103 	    sizeof(trail->tr_dirname)) {
104 		free(trail);
105 		pjdlog_error("Directory name too long (\"%s\").", dirname);
106 		errno = ENAMETOOLONG;
107 		return (NULL);
108 	}
109 	trail->tr_dirfp = opendir(dirname);
110 	if (trail->tr_dirfp == NULL) {
111 		if (create && errno == ENOENT) {
112 			if (mkdir(dirname, 0700) == -1) {
113 				pjdlog_errno(LOG_ERR,
114 				    "Unable to create directory \"%s\"",
115 				    dirname);
116 				free(trail);
117 				return (NULL);
118 			}
119 			/* TODO: Set directory ownership. */
120 		} else {
121 			pjdlog_errno(LOG_ERR,
122 			    "Unable to open directory \"%s\"",
123 			    dirname);
124 			free(trail);
125 			return (NULL);
126 		}
127 		trail->tr_dirfp = opendir(dirname);
128 		if (trail->tr_dirfp == NULL) {
129 			pjdlog_errno(LOG_ERR,
130 			    "Unable to open directory \"%s\"",
131 			    dirname);
132 			free(trail);
133 			return (NULL);
134 		}
135 	}
136 	trail->tr_filefd = -1;
137 	trail->tr_magic = TRAIL_MAGIC;
138 	return (trail);
139 }
140 
141 void
142 trail_free(struct trail *trail)
143 {
144 
145 	PJDLOG_ASSERT(trail->tr_magic == TRAIL_MAGIC);
146 
147 	if (trail->tr_filefd != -1)
148 		trail_close(trail);
149 	closedir(trail->tr_dirfp);
150 	bzero(trail, sizeof(*trail));
151 	trail->tr_magic = 0;
152 	trail->tr_filefd = -1;
153 	free(trail);
154 }
155 
156 static uint8_t
157 trail_type(DIR *dirfp, const char *filename)
158 {
159 	struct stat sb;
160 	int dfd;
161 
162 	PJDLOG_ASSERT(dirfp != NULL);
163 
164 	dfd = dirfd(dirfp);
165 	PJDLOG_ASSERT(dfd >= 0);
166 	if (fstatat(dfd, filename, &sb, AT_SYMLINK_NOFOLLOW) == -1) {
167 		pjdlog_errno(LOG_ERR, "Unable to stat \"%s\"", filename);
168 		return (DT_UNKNOWN);
169 	}
170 	return (IFTODT(sb.st_mode));
171 }
172 
173 /*
174  * Find trail file by first part of the name in case it was renamed.
175  * First part of the trail file name never changes, but trail file
176  * can be renamed when hosts are disconnected from .not_terminated
177  * to .[0-9]{14} or to .crash_recovery.
178  */
179 static bool
180 trail_find(struct trail *trail)
181 {
182 	struct dirent *dp;
183 
184 	PJDLOG_ASSERT(trail->tr_magic == TRAIL_MAGIC);
185 	PJDLOG_ASSERT(trail_is_not_terminated(trail->tr_filename));
186 
187 	rewinddir(trail->tr_dirfp);
188 	while ((dp = readdir(trail->tr_dirfp)) != NULL) {
189 		if (strncmp(dp->d_name, trail->tr_filename, HALF_LEN + 1) == 0)
190 			break;
191 	}
192 	if (dp == NULL)
193 		return (false);
194 	PJDLOG_VERIFY(strlcpy(trail->tr_filename, dp->d_name,
195 	    sizeof(trail->tr_filename)) < sizeof(trail->tr_filename));
196 	return (true);
197 }
198 
199 /*
200  * Open the given trail file and move pointer at the given offset, as this is
201  * where receiver finished the last time.
202  * If the file doesn't exist or the given offset is equal to the file size,
203  * move to the next trail file.
204  */
205 void
206 trail_start(struct trail *trail, const char *filename, off_t offset)
207 {
208 	struct stat sb;
209 	int dfd, fd;
210 
211 	PJDLOG_ASSERT(trail->tr_magic == TRAIL_MAGIC);
212 
213 	PJDLOG_VERIFY(strlcpy(trail->tr_filename, filename,
214 	    sizeof(trail->tr_filename)) < sizeof(trail->tr_filename));
215 	trail->tr_filefd = -1;
216 
217 	if (trail->tr_filename[0] == '\0') {
218 		PJDLOG_ASSERT(offset == 0);
219 		trail_next(trail);
220 		return;
221 	}
222 
223 	dfd = dirfd(trail->tr_dirfp);
224 	PJDLOG_ASSERT(dfd >= 0);
225 again:
226 	fd = openat(dfd, trail->tr_filename, O_RDONLY);
227 	if (fd == -1) {
228 		if (errno == ENOENT &&
229 		    trail_is_not_terminated(trail->tr_filename) &&
230 		    trail_find(trail)) {
231 			/* File was renamed. Retry with new name. */
232 			pjdlog_debug(1,
233 			   "Trail file was renamed since last connection to \"%s/%s\".",
234 			   trail->tr_dirname, trail->tr_filename);
235 			goto again;
236 		} else if (errno == ENOENT) {
237 			/* File disappeared. */
238 			pjdlog_debug(1, "File \"%s/%s\" doesn't exist.",
239 			    trail->tr_dirname, trail->tr_filename);
240 		} else {
241 			pjdlog_errno(LOG_ERR,
242 			    "Unable to open file \"%s/%s\", skipping",
243 			    trail->tr_dirname, trail->tr_filename);
244 		}
245 		trail_next(trail);
246 		return;
247 	}
248 	if (fstat(fd, &sb) == -1) {
249 		pjdlog_errno(LOG_ERR,
250 		    "Unable to stat file \"%s/%s\", skipping",
251 		    trail->tr_dirname, trail->tr_filename);
252 		close(fd);
253 		trail_next(trail);
254 		return;
255 	}
256 	if (!S_ISREG(sb.st_mode)) {
257 		pjdlog_warning("File \"%s/%s\" is not a regular file, skipping.",
258 		    trail->tr_dirname, trail->tr_filename);
259 		close(fd);
260 		trail_next(trail);
261 		return;
262 	}
263 	/*
264 	 * We continue sending requested file if:
265 	 * 1. It is not fully sent yet, or
266 	 * 2. It is fully sent, but is not terminated, so new data can be
267 	 *    appended still, or
268 	 * 3. It is fully sent but file name has changed.
269 	 *
270 	 * Note that we are fine if our .not_terminated or .crash_recovery file
271 	 * is smaller than the one on the receiver side, as it is possible that
272 	 * more data was send to the receiver than was safely stored on disk.
273 	 * We accept .not_terminated only because auditdistd can start before
274 	 * auditd manage to rename it to .crash_recovery.
275 	 */
276 	if (offset < sb.st_size ||
277 	    (offset >= sb.st_size &&
278 	     trail_is_not_terminated(trail->tr_filename)) ||
279 	    (offset >= sb.st_size && trail_is_not_terminated(filename) &&
280 	     trail_is_crash_recovery(trail->tr_filename))) {
281 		/* File was not fully send. Let's finish it. */
282 		if (lseek(fd, offset, SEEK_SET) == -1) {
283 			pjdlog_errno(LOG_ERR,
284 			    "Unable to move to offset %jd within file \"%s/%s\", skipping",
285 			    (intmax_t)offset, trail->tr_dirname,
286 			    trail->tr_filename);
287 			close(fd);
288 			trail_next(trail);
289 			return;
290 		}
291 		if (!trail_is_crash_recovery(trail->tr_filename)) {
292 			pjdlog_debug(1,
293 			    "Restarting file \"%s/%s\" at offset %jd.",
294 			    trail->tr_dirname, trail->tr_filename,
295 			    (intmax_t)offset);
296 		}
297 		trail->tr_filefd = fd;
298 		return;
299 	}
300 	close(fd);
301 	if (offset > sb.st_size) {
302 		pjdlog_warning("File \"%s/%s\" shrinked, removing it.",
303 		    trail->tr_dirname, trail->tr_filename);
304 	} else {
305 		pjdlog_debug(1, "File \"%s/%s\" is already sent, removing it.",
306 		    trail->tr_dirname, trail->tr_filename);
307 	}
308 	/* Entire file is already sent or it shirnked, we can remove it. */
309 	if (unlinkat(dfd, trail->tr_filename, 0) == -1) {
310 		pjdlog_errno(LOG_WARNING, "Unable to remove file \"%s/%s\"",
311 		    trail->tr_dirname, trail->tr_filename);
312 	}
313 	trail_next(trail);
314 }
315 
316 /*
317  * Set next file in the trail->tr_dirname directory and open it for reading.
318  */
319 void
320 trail_next(struct trail *trail)
321 {
322 	char curfile[PATH_MAX];
323 	struct dirent *dp;
324 	int dfd;
325 
326 	PJDLOG_ASSERT(trail->tr_magic == TRAIL_MAGIC);
327 	PJDLOG_ASSERT(trail->tr_filefd == -1);
328 
329 again:
330 	curfile[0] = '\0';
331 
332 	rewinddir(trail->tr_dirfp);
333 	while ((dp = readdir(trail->tr_dirfp)) != NULL) {
334 		if (dp->d_name[0] < '0' || dp->d_name[0] > '9')
335 			continue;
336 		if (dp->d_type == DT_UNKNOWN)
337 			dp->d_type = trail_type(trail->tr_dirfp, dp->d_name);
338 		/* We are only interested in regular files, skip the rest. */
339 		if (dp->d_type != DT_REG) {
340 			pjdlog_debug(1,
341 			    "File \"%s/%s\" is not a regular file, skipping.",
342 			    trail->tr_dirname, dp->d_name);
343 			continue;
344 		}
345 		/* Skip all files "greater" than curfile. */
346 		if (curfile[0] != '\0' && strcmp(dp->d_name, curfile) > 0)
347 			continue;
348 		/* Skip all files "smaller" than the current trail_filename. */
349 		if (trail->tr_filename[0] != '\0' &&
350 		    strcmp(dp->d_name, trail->tr_filename) <= 0) {
351 			continue;
352 		}
353 		PJDLOG_VERIFY(strlcpy(curfile, dp->d_name, sizeof(curfile)) <
354 		    sizeof(curfile));
355 	}
356 	if (curfile[0] == '\0') {
357 		/*
358 		 * There are no new trail files, so we return.
359 		 * We don't clear trail_filename string, to know where to
360 		 * start when new file appears.
361 		 */
362 		PJDLOG_ASSERT(trail->tr_filefd == -1);
363 		pjdlog_debug(1, "No new trail files.");
364 		return;
365 	}
366 	PJDLOG_VERIFY(strlcpy(trail->tr_filename, curfile,
367 	    sizeof(trail->tr_filename)) < sizeof(trail->tr_filename));
368 	dfd = dirfd(trail->tr_dirfp);
369 	PJDLOG_ASSERT(dfd >= 0);
370 	trail->tr_filefd = openat(dfd, trail->tr_filename, O_RDONLY);
371 	if (trail->tr_filefd == -1) {
372 		pjdlog_errno(LOG_ERR,
373 		    "Unable to open file \"%s/%s\", skipping",
374 		    trail->tr_dirname, trail->tr_filename);
375 		goto again;
376 	}
377 	pjdlog_debug(1, "Found next trail file: \"%s/%s\".", trail->tr_dirname,
378 	    trail->tr_filename);
379 }
380 
381 /*
382  * Close current trial file.
383  */
384 void
385 trail_close(struct trail *trail)
386 {
387 
388 	PJDLOG_ASSERT(trail->tr_magic == TRAIL_MAGIC);
389 	PJDLOG_ASSERT(trail->tr_filefd >= 0);
390 	PJDLOG_ASSERT(trail->tr_filename[0] != '\0');
391 
392 	PJDLOG_VERIFY(close(trail->tr_filefd) == 0);
393 	trail->tr_filefd = -1;
394 }
395 
396 /*
397  * Reset trail state. Used when connection is disconnected and we will
398  * need to start over after reconnect. Trail needs to be already closed.
399  */
400 void
401 trail_reset(struct trail *trail)
402 {
403 
404 	PJDLOG_ASSERT(trail->tr_magic == TRAIL_MAGIC);
405 	PJDLOG_ASSERT(trail->tr_filefd == -1);
406 
407 	trail->tr_filename[0] = '\0';
408 }
409 
410 /*
411  * Unlink current trial file.
412  */
413 void
414 trail_unlink(struct trail *trail, const char *filename)
415 {
416 	int dfd;
417 
418 	PJDLOG_ASSERT(trail->tr_magic == TRAIL_MAGIC);
419 	PJDLOG_ASSERT(filename != NULL);
420 	PJDLOG_ASSERT(filename[0] != '\0');
421 
422 	dfd = dirfd(trail->tr_dirfp);
423 	PJDLOG_ASSERT(dfd >= 0);
424 
425 	if (unlinkat(dfd, filename, 0) == -1) {
426 		pjdlog_errno(LOG_ERR, "Unable to remove \"%s/%s\"",
427 		    trail->tr_dirname, filename);
428 	} else {
429 		pjdlog_debug(1, "Trail file \"%s/%s\" removed.",
430 		    trail->tr_dirname, filename);
431 	}
432 }
433 
434 /*
435  * Return true if we should switch to next trail file.
436  * We don't switch if our file name ends with ".not_terminated" and it
437  * exists (ie. wasn't renamed).
438  */
439 bool
440 trail_switch(struct trail *trail)
441 {
442 	char filename[PATH_MAX];
443 	int fd;
444 
445 	PJDLOG_ASSERT(trail->tr_magic == TRAIL_MAGIC);
446 	PJDLOG_ASSERT(trail->tr_filefd >= 0);
447 
448 	if (!trail_is_not_terminated(trail->tr_filename))
449 		return (true);
450 	fd = dirfd(trail->tr_dirfp);
451 	PJDLOG_ASSERT(fd >= 0);
452 	if (faccessat(fd, trail->tr_filename, F_OK, 0) == 0)
453 		return (false);
454 	if (errno != ENOENT) {
455 		pjdlog_errno(LOG_ERR, "Unable to access file \"%s/%s\"",
456 		    trail->tr_dirname, trail->tr_filename);
457 	}
458 	strlcpy(filename, trail->tr_filename, sizeof(filename));
459 	if (!trail_find(trail)) {
460 		pjdlog_error("Trail file \"%s/%s\" disappeared.",
461 		    trail->tr_dirname, trail->tr_filename);
462 		return (true);
463 	}
464 	pjdlog_debug(1, "Trail file \"%s/%s\" was renamed to \"%s/%s\".",
465 	    trail->tr_dirname, filename, trail->tr_dirname,
466 	    trail->tr_filename);
467 	return (true);
468 }
469 
470 const char *
471 trail_filename(const struct trail *trail)
472 {
473 
474 	PJDLOG_ASSERT(trail->tr_magic == TRAIL_MAGIC);
475 
476 	return (trail->tr_filename);
477 }
478 
479 int
480 trail_filefd(const struct trail *trail)
481 {
482 
483 	PJDLOG_ASSERT(trail->tr_magic == TRAIL_MAGIC);
484 
485 	return (trail->tr_filefd);
486 }
487 
488 int
489 trail_dirfd(const struct trail *trail)
490 {
491 
492 	PJDLOG_ASSERT(trail->tr_magic == TRAIL_MAGIC);
493 
494 	return (dirfd(trail->tr_dirfp));
495 }
496 
497 /*
498  * Find the last file in the directory opened under dirfp.
499  */
500 void
501 trail_last(DIR *dirfp, char *filename, size_t filenamesize)
502 {
503 	char curfile[PATH_MAX];
504 	struct dirent *dp;
505 
506 	PJDLOG_ASSERT(dirfp != NULL);
507 
508 	curfile[0] = '\0';
509 
510 	rewinddir(dirfp);
511 	while ((dp = readdir(dirfp)) != NULL) {
512 		if (dp->d_name[0] < '0' || dp->d_name[0] > '9')
513 			continue;
514 		if (dp->d_type == DT_UNKNOWN)
515 			dp->d_type = trail_type(dirfp, dp->d_name);
516 		/* We are only interested in regular files, skip the rest. */
517 		if (dp->d_type != DT_REG)
518 			continue;
519 		/* Skip all files "greater" than curfile. */
520 		if (curfile[0] != '\0' && strcmp(dp->d_name, curfile) < 0)
521 			continue;
522 		PJDLOG_VERIFY(strlcpy(curfile, dp->d_name, sizeof(curfile)) <
523 		    sizeof(curfile));
524 	}
525 	if (curfile[0] == '\0') {
526 		/*
527 		 * There are no trail files, so we return.
528 		 */
529 		pjdlog_debug(1, "No trail files.");
530 		bzero(filename, filenamesize);
531 		return;
532 	}
533 	PJDLOG_VERIFY(strlcpy(filename, curfile, filenamesize) < filenamesize);
534 	pjdlog_debug(1, "Found the most recent trail file: \"%s\".", filename);
535 }
536 
537 /*
538  * Check if the given file name is a valid audit trail file name.
539  * Possible names:
540  * 20120106132657.20120106132805
541  * 20120106132657.not_terminated
542  * 20120106132657.crash_recovery
543  * If two names are given, check if the first name can be renamed
544  * to the second name. When renaming, first part of the name has
545  * to be identical and only the following renames are valid:
546  * 20120106132657.not_terminated -> 20120106132657.20120106132805
547  * 20120106132657.not_terminated -> 20120106132657.crash_recovery
548  */
549 bool
550 trail_validate_name(const char *srcname, const char *dstname)
551 {
552 	int i;
553 
554 	PJDLOG_ASSERT(srcname != NULL);
555 
556 	if (strlen(srcname) != 2 * HALF_LEN + 1)
557 		return (false);
558 	if (srcname[HALF_LEN] != '.')
559 		return (false);
560 	for (i = 0; i < HALF_LEN; i++) {
561 		if (srcname[i] < '0' || srcname[i] > '9')
562 			return (false);
563 	}
564 	for (i = HALF_LEN + 1; i < 2 * HALF_LEN - 1; i++) {
565 		if (srcname[i] < '0' || srcname[i] > '9')
566 			break;
567 	}
568 	if (i < 2 * HALF_LEN - 1 &&
569 	    strcmp(srcname + HALF_LEN + 1, "not_terminated") != 0 &&
570 	    strcmp(srcname + HALF_LEN + 1, "crash_recovery") != 0) {
571 		return (false);
572 	}
573 
574 	if (dstname == NULL)
575 		return (true);
576 
577 	/* We tolarate if both names are identical. */
578 	if (strcmp(srcname, dstname) == 0)
579 		return (true);
580 
581 	/* We can only rename not_terminated files. */
582 	if (strcmp(srcname + HALF_LEN + 1, "not_terminated") != 0)
583 		return (false);
584 	if (strlen(dstname) != 2 * HALF_LEN + 1)
585 		return (false);
586 	if (strncmp(srcname, dstname, HALF_LEN + 1) != 0)
587 		return (false);
588 	for (i = HALF_LEN + 1; i < 2 * HALF_LEN - 1; i++) {
589 		if (dstname[i] < '0' || dstname[i] > '9')
590 			break;
591 	}
592 	if (i < 2 * HALF_LEN - 1 &&
593 	    strcmp(dstname + HALF_LEN + 1, "crash_recovery") != 0) {
594 		return (false);
595 	}
596 
597 	return (true);
598 }
599 
600 int
601 trail_name_compare(const char *name0, const char *name1)
602 {
603 	int ret;
604 
605 	ret = strcmp(name0, name1);
606 	if (ret == 0)
607 		return (TRAIL_IDENTICAL);
608 	if (strncmp(name0, name1, HALF_LEN + 1) == 0)
609 		return (TRAIL_RENAMED);
610 	return (ret < 0 ? TRAIL_OLDER : TRAIL_NEWER);
611 }
612