xref: /freebsd/sbin/savecore/savecore.c (revision 5ab1c5846ff41be24b1f6beb0317bf8258cd4409)
1 /*-
2  * SPDX-License-Identifier: BSD-3-Clause
3  *
4  * Copyright (c) 2002 Poul-Henning Kamp
5  * Copyright (c) 2002 Networks Associates Technology, Inc.
6  * All rights reserved.
7  *
8  * This software was developed for the FreeBSD Project by Poul-Henning Kamp
9  * and NAI Labs, the Security Research Division of Network Associates, Inc.
10  * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
11  * DARPA CHATS research program.
12  *
13  * Redistribution and use in source and binary forms, with or without
14  * modification, are permitted provided that the following conditions
15  * are met:
16  * 1. Redistributions of source code must retain the above copyright
17  *    notice, this list of conditions and the following disclaimer.
18  * 2. Redistributions in binary form must reproduce the above copyright
19  *    notice, this list of conditions and the following disclaimer in the
20  *    documentation and/or other materials provided with the distribution.
21  * 3. The names of the authors may not be used to endorse or promote
22  *    products derived from this software without specific prior written
23  *    permission.
24  *
25  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
26  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
27  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
28  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
29  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
30  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
31  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
32  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
33  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
34  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35  * SUCH DAMAGE.
36  *
37  * Copyright (c) 1986, 1992, 1993
38  *	The Regents of the University of California.  All rights reserved.
39  *
40  * Redistribution and use in source and binary forms, with or without
41  * modification, are permitted provided that the following conditions
42  * are met:
43  * 1. Redistributions of source code must retain the above copyright
44  *    notice, this list of conditions and the following disclaimer.
45  * 2. Redistributions in binary form must reproduce the above copyright
46  *    notice, this list of conditions and the following disclaimer in the
47  *    documentation and/or other materials provided with the distribution.
48  * 3. Neither the name of the University nor the names of its contributors
49  *    may be used to endorse or promote products derived from this software
50  *    without specific prior written permission.
51  *
52  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
53  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
54  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
55  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
56  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
57  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
58  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
59  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
60  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
61  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
62  * SUCH DAMAGE.
63  */
64 
65 #include <sys/cdefs.h>
66 __FBSDID("$FreeBSD$");
67 
68 #include <sys/param.h>
69 #include <sys/disk.h>
70 #include <sys/kerneldump.h>
71 #include <sys/mount.h>
72 #include <sys/stat.h>
73 
74 #include <capsicum_helpers.h>
75 #include <ctype.h>
76 #include <errno.h>
77 #include <fcntl.h>
78 #include <fstab.h>
79 #include <paths.h>
80 #include <signal.h>
81 #include <stdarg.h>
82 #include <stdbool.h>
83 #include <stdio.h>
84 #include <stdlib.h>
85 #include <string.h>
86 #include <syslog.h>
87 #include <time.h>
88 #include <unistd.h>
89 
90 #include <libcasper.h>
91 #include <casper/cap_fileargs.h>
92 #include <casper/cap_syslog.h>
93 
94 #include <libxo/xo.h>
95 
96 /* The size of the buffer used for I/O. */
97 #define	BUFFERSIZE	(1024*1024)
98 
99 #define	STATUS_BAD	0
100 #define	STATUS_GOOD	1
101 #define	STATUS_UNKNOWN	2
102 
103 static cap_channel_t *capsyslog;
104 static fileargs_t *capfa;
105 static int checkfor, compress, clear, force, keep, verbose;	/* flags */
106 static int nfound, nsaved, nerr;			/* statistics */
107 static int maxdumps;
108 
109 extern FILE *zdopen(int, const char *);
110 
111 static sig_atomic_t got_siginfo;
112 static void infohandler(int);
113 
114 static void
115 logmsg(int pri, const char *fmt, ...)
116 {
117 	va_list ap;
118 
119 	va_start(ap, fmt);
120 	if (capsyslog != NULL)
121 		cap_vsyslog(capsyslog, pri, fmt, ap);
122 	else
123 		vsyslog(pri, fmt, ap);
124 	va_end(ap);
125 }
126 
127 static FILE *
128 xfopenat(int dirfd, const char *path, int flags, const char *modestr, ...)
129 {
130 	va_list ap;
131 	FILE *fp;
132 	mode_t mode;
133 	int error, fd;
134 
135 	if ((flags & O_CREAT) == O_CREAT) {
136 		va_start(ap, modestr);
137 		mode = (mode_t)va_arg(ap, int);
138 		va_end(ap);
139 	} else
140 		mode = 0;
141 
142 	fd = openat(dirfd, path, flags, mode);
143 	if (fd < 0)
144 		return (NULL);
145 	fp = fdopen(fd, modestr);
146 	if (fp == NULL) {
147 		error = errno;
148 		(void)close(fd);
149 		errno = error;
150 	}
151 	return (fp);
152 }
153 
154 static void
155 printheader(xo_handle_t *xo, const struct kerneldumpheader *h,
156     const char *device, int bounds, const int status)
157 {
158 	uint64_t dumplen;
159 	time_t t;
160 	const char *stat_str;
161 	const char *comp_str;
162 
163 	xo_flush_h(xo);
164 	xo_emit_h(xo, "{Lwc:Dump header from device}{:dump_device/%s}\n",
165 	    device);
166 	xo_emit_h(xo, "{P:  }{Lwc:Architecture}{:architecture/%s}\n",
167 	    h->architecture);
168 	xo_emit_h(xo,
169 	    "{P:  }{Lwc:Architecture Version}{:architecture_version/%u}\n",
170 	    dtoh32(h->architectureversion));
171 	dumplen = dtoh64(h->dumplength);
172 	xo_emit_h(xo, "{P:  }{Lwc:Dump Length}{:dump_length_bytes/%lld}\n",
173 	    (long long)dumplen);
174 	xo_emit_h(xo, "{P:  }{Lwc:Blocksize}{:blocksize/%d}\n",
175 	    dtoh32(h->blocksize));
176 	switch (h->compression) {
177 	case KERNELDUMP_COMP_NONE:
178 		comp_str = "none";
179 		break;
180 	case KERNELDUMP_COMP_GZIP:
181 		comp_str = "gzip";
182 		break;
183 	case KERNELDUMP_COMP_ZSTD:
184 		comp_str = "zstd";
185 		break;
186 	default:
187 		comp_str = "???";
188 		break;
189 	}
190 	xo_emit_h(xo, "{P:  }{Lwc:Compression}{:compression/%s}\n", comp_str);
191 	t = dtoh64(h->dumptime);
192 	xo_emit_h(xo, "{P:  }{Lwc:Dumptime}{:dumptime/%s}", ctime(&t));
193 	xo_emit_h(xo, "{P:  }{Lwc:Hostname}{:hostname/%s}\n", h->hostname);
194 	xo_emit_h(xo, "{P:  }{Lwc:Magic}{:magic/%s}\n", h->magic);
195 	xo_emit_h(xo, "{P:  }{Lwc:Version String}{:version_string/%s}",
196 	    h->versionstring);
197 	xo_emit_h(xo, "{P:  }{Lwc:Panic String}{:panic_string/%s}\n",
198 	    h->panicstring);
199 	xo_emit_h(xo, "{P:  }{Lwc:Dump Parity}{:dump_parity/%u}\n", h->parity);
200 	xo_emit_h(xo, "{P:  }{Lwc:Bounds}{:bounds/%d}\n", bounds);
201 
202 	switch (status) {
203 	case STATUS_BAD:
204 		stat_str = "bad";
205 		break;
206 	case STATUS_GOOD:
207 		stat_str = "good";
208 		break;
209 	default:
210 		stat_str = "unknown";
211 		break;
212 	}
213 	xo_emit_h(xo, "{P:  }{Lwc:Dump Status}{:dump_status/%s}\n", stat_str);
214 	xo_flush_h(xo);
215 }
216 
217 static int
218 getbounds(int savedirfd)
219 {
220 	FILE *fp;
221 	char buf[6];
222 	int ret;
223 
224 	/*
225 	 * If we are just checking, then we haven't done a chdir to the dump
226 	 * directory and we should not try to read a bounds file.
227 	 */
228 	if (checkfor)
229 		return (0);
230 
231 	ret = 0;
232 
233 	if ((fp = xfopenat(savedirfd, "bounds", O_RDONLY, "r")) == NULL) {
234 		if (verbose)
235 			printf("unable to open bounds file, using 0\n");
236 		return (ret);
237 	}
238 	if (fgets(buf, sizeof(buf), fp) == NULL) {
239 		if (feof(fp))
240 			logmsg(LOG_WARNING, "bounds file is empty, using 0");
241 		else
242 			logmsg(LOG_WARNING, "bounds file: %s", strerror(errno));
243 		fclose(fp);
244 		return (ret);
245 	}
246 
247 	errno = 0;
248 	ret = (int)strtol(buf, NULL, 10);
249 	if (ret == 0 && (errno == EINVAL || errno == ERANGE))
250 		logmsg(LOG_WARNING, "invalid value found in bounds, using 0");
251 	fclose(fp);
252 	return (ret);
253 }
254 
255 static void
256 writebounds(int savedirfd, int bounds)
257 {
258 	FILE *fp;
259 
260 	if ((fp = xfopenat(savedirfd, "bounds", O_WRONLY | O_CREAT | O_TRUNC,
261 	    "w", 0644)) == NULL) {
262 		logmsg(LOG_WARNING, "unable to write to bounds file: %m");
263 		return;
264 	}
265 
266 	if (verbose)
267 		printf("bounds number: %d\n", bounds);
268 
269 	fprintf(fp, "%d\n", bounds);
270 	fclose(fp);
271 }
272 
273 static bool
274 writekey(int savedirfd, const char *keyname, uint8_t *dumpkey,
275     uint32_t dumpkeysize)
276 {
277 	int fd;
278 
279 	fd = openat(savedirfd, keyname, O_WRONLY | O_CREAT | O_TRUNC, 0600);
280 	if (fd == -1) {
281 		logmsg(LOG_ERR, "Unable to open %s to write the key: %m.",
282 		    keyname);
283 		return (false);
284 	}
285 
286 	if (write(fd, dumpkey, dumpkeysize) != (ssize_t)dumpkeysize) {
287 		logmsg(LOG_ERR, "Unable to write the key to %s: %m.", keyname);
288 		close(fd);
289 		return (false);
290 	}
291 
292 	close(fd);
293 	return (true);
294 }
295 
296 static off_t
297 file_size(int savedirfd, const char *path)
298 {
299 	struct stat sb;
300 
301 	/* Ignore all errors, this file may not exist. */
302 	if (fstatat(savedirfd, path, &sb, 0) == -1)
303 		return (0);
304 	return (sb.st_size);
305 }
306 
307 static off_t
308 saved_dump_size(int savedirfd, int bounds)
309 {
310 	static char path[PATH_MAX];
311 	off_t dumpsize;
312 
313 	dumpsize = 0;
314 
315 	(void)snprintf(path, sizeof(path), "info.%d", bounds);
316 	dumpsize += file_size(savedirfd, path);
317 	(void)snprintf(path, sizeof(path), "vmcore.%d", bounds);
318 	dumpsize += file_size(savedirfd, path);
319 	(void)snprintf(path, sizeof(path), "vmcore.%d.gz", bounds);
320 	dumpsize += file_size(savedirfd, path);
321 	(void)snprintf(path, sizeof(path), "vmcore.%d.zst", bounds);
322 	dumpsize += file_size(savedirfd, path);
323 	(void)snprintf(path, sizeof(path), "textdump.tar.%d", bounds);
324 	dumpsize += file_size(savedirfd, path);
325 	(void)snprintf(path, sizeof(path), "textdump.tar.%d.gz", bounds);
326 	dumpsize += file_size(savedirfd, path);
327 
328 	return (dumpsize);
329 }
330 
331 static void
332 saved_dump_remove(int savedirfd, int bounds)
333 {
334 	static char path[PATH_MAX];
335 
336 	(void)snprintf(path, sizeof(path), "info.%d", bounds);
337 	(void)unlinkat(savedirfd, path, 0);
338 	(void)snprintf(path, sizeof(path), "vmcore.%d", bounds);
339 	(void)unlinkat(savedirfd, path, 0);
340 	(void)snprintf(path, sizeof(path), "vmcore.%d.gz", bounds);
341 	(void)unlinkat(savedirfd, path, 0);
342 	(void)snprintf(path, sizeof(path), "vmcore.%d.zst", bounds);
343 	(void)unlinkat(savedirfd, path, 0);
344 	(void)snprintf(path, sizeof(path), "textdump.tar.%d", bounds);
345 	(void)unlinkat(savedirfd, path, 0);
346 	(void)snprintf(path, sizeof(path), "textdump.tar.%d.gz", bounds);
347 	(void)unlinkat(savedirfd, path, 0);
348 }
349 
350 static void
351 symlinks_remove(int savedirfd)
352 {
353 
354 	(void)unlinkat(savedirfd, "info.last", 0);
355 	(void)unlinkat(savedirfd, "key.last", 0);
356 	(void)unlinkat(savedirfd, "vmcore.last", 0);
357 	(void)unlinkat(savedirfd, "vmcore.last.gz", 0);
358 	(void)unlinkat(savedirfd, "vmcore.last.zst", 0);
359 	(void)unlinkat(savedirfd, "vmcore_encrypted.last", 0);
360 	(void)unlinkat(savedirfd, "vmcore_encrypted.last.gz", 0);
361 	(void)unlinkat(savedirfd, "textdump.tar.last", 0);
362 	(void)unlinkat(savedirfd, "textdump.tar.last.gz", 0);
363 }
364 
365 /*
366  * Check that sufficient space is available on the disk that holds the
367  * save directory.
368  */
369 static int
370 check_space(const char *savedir, int savedirfd, off_t dumpsize, int bounds)
371 {
372 	char buf[100];
373 	struct statfs fsbuf;
374 	FILE *fp;
375 	off_t available, minfree, spacefree, totfree, needed;
376 
377 	if (fstatfs(savedirfd, &fsbuf) < 0) {
378 		logmsg(LOG_ERR, "%s: %m", savedir);
379 		exit(1);
380 	}
381 	spacefree = ((off_t) fsbuf.f_bavail * fsbuf.f_bsize) / 1024;
382 	totfree = ((off_t) fsbuf.f_bfree * fsbuf.f_bsize) / 1024;
383 
384 	if ((fp = xfopenat(savedirfd, "minfree", O_RDONLY, "r")) == NULL)
385 		minfree = 0;
386 	else {
387 		if (fgets(buf, sizeof(buf), fp) == NULL)
388 			minfree = 0;
389 		else {
390 			char *endp;
391 
392 			errno = 0;
393 			minfree = strtoll(buf, &endp, 10);
394 			if (minfree == 0 && errno != 0)
395 				minfree = -1;
396 			else {
397 				while (*endp != '\0' && isspace(*endp))
398 					endp++;
399 				if (*endp != '\0' || minfree < 0)
400 					minfree = -1;
401 			}
402 			if (minfree < 0)
403 				logmsg(LOG_WARNING,
404 				    "`minfree` didn't contain a valid size "
405 				    "(`%s`). Defaulting to 0", buf);
406 		}
407 		(void)fclose(fp);
408 	}
409 
410 	available = minfree > 0 ? spacefree - minfree : totfree;
411 	needed = dumpsize / 1024 + 2;	/* 2 for info file */
412 	needed -= saved_dump_size(savedirfd, bounds);
413 	if (available < needed) {
414 		logmsg(LOG_WARNING,
415 		    "no dump: not enough free space on device (need at least "
416 		    "%jdkB for dump; %jdkB available; %jdkB reserved)",
417 		    (intmax_t)needed,
418 		    (intmax_t)available + minfree,
419 		    (intmax_t)minfree);
420 		return (0);
421 	}
422 	if (spacefree - needed < 0)
423 		logmsg(LOG_WARNING,
424 		    "dump performed, but free space threshold crossed");
425 	return (1);
426 }
427 
428 static bool
429 compare_magic(const struct kerneldumpheader *kdh, const char *magic)
430 {
431 
432 	return (strncmp(kdh->magic, magic, sizeof(kdh->magic)) == 0);
433 }
434 
435 #define BLOCKSIZE (1<<12)
436 #define BLOCKMASK (~(BLOCKSIZE-1))
437 
438 static int
439 DoRegularFile(int fd, off_t dumpsize, u_int sectorsize, bool sparse, char *buf,
440     const char *device, const char *filename, FILE *fp)
441 {
442 	int he, hs, nr, nw, wl;
443 	off_t dmpcnt, origsize;
444 
445 	dmpcnt = 0;
446 	origsize = dumpsize;
447 	he = 0;
448 	while (dumpsize > 0) {
449 		wl = BUFFERSIZE;
450 		if (wl > dumpsize)
451 			wl = dumpsize;
452 		nr = read(fd, buf, roundup(wl, sectorsize));
453 		if (nr != (int)roundup(wl, sectorsize)) {
454 			if (nr == 0)
455 				logmsg(LOG_WARNING,
456 				    "WARNING: EOF on dump device");
457 			else
458 				logmsg(LOG_ERR, "read error on %s: %m", device);
459 			nerr++;
460 			return (-1);
461 		}
462 		if (!sparse) {
463 			nw = fwrite(buf, 1, wl, fp);
464 		} else {
465 			for (nw = 0; nw < nr; nw = he) {
466 				/* find a contiguous block of zeroes */
467 				for (hs = nw; hs < nr; hs += BLOCKSIZE) {
468 					for (he = hs; he < nr && buf[he] == 0;
469 					    ++he)
470 						/* nothing */ ;
471 					/* is the hole long enough to matter? */
472 					if (he >= hs + BLOCKSIZE)
473 						break;
474 				}
475 
476 				/* back down to a block boundary */
477 				he &= BLOCKMASK;
478 
479 				/*
480 				 * 1) Don't go beyond the end of the buffer.
481 				 * 2) If the end of the buffer is less than
482 				 *    BLOCKSIZE bytes away, we're at the end
483 				 *    of the file, so just grab what's left.
484 				 */
485 				if (hs + BLOCKSIZE > nr)
486 					hs = he = nr;
487 
488 				/*
489 				 * At this point, we have a partial ordering:
490 				 *     nw <= hs <= he <= nr
491 				 * If hs > nw, buf[nw..hs] contains non-zero
492 				 * data. If he > hs, buf[hs..he] is all zeroes.
493 				 */
494 				if (hs > nw)
495 					if (fwrite(buf + nw, hs - nw, 1, fp)
496 					    != 1)
497 					break;
498 				if (he > hs)
499 					if (fseeko(fp, he - hs, SEEK_CUR) == -1)
500 						break;
501 			}
502 		}
503 		if (nw != wl) {
504 			logmsg(LOG_ERR,
505 			    "write error on %s file: %m", filename);
506 			logmsg(LOG_WARNING,
507 			    "WARNING: vmcore may be incomplete");
508 			nerr++;
509 			return (-1);
510 		}
511 		if (verbose) {
512 			dmpcnt += wl;
513 			printf("%llu\r", (unsigned long long)dmpcnt);
514 			fflush(stdout);
515 		}
516 		dumpsize -= wl;
517 		if (got_siginfo) {
518 			printf("%s %.1lf%%\n", filename, (100.0 - (100.0 *
519 			    (double)dumpsize / (double)origsize)));
520 			got_siginfo = 0;
521 		}
522 	}
523 	return (0);
524 }
525 
526 /*
527  * Specialized version of dump-reading logic for use with textdumps, which
528  * are written backwards from the end of the partition, and must be reversed
529  * before being written to the file.  Textdumps are small, so do a bit less
530  * work to optimize/sparsify.
531  */
532 static int
533 DoTextdumpFile(int fd, off_t dumpsize, off_t lasthd, char *buf,
534     const char *device, const char *filename, FILE *fp)
535 {
536 	int nr, nw, wl;
537 	off_t dmpcnt, totsize;
538 
539 	totsize = dumpsize;
540 	dmpcnt = 0;
541 	wl = 512;
542 	if ((dumpsize % wl) != 0) {
543 		logmsg(LOG_ERR, "textdump uneven multiple of 512 on %s",
544 		    device);
545 		nerr++;
546 		return (-1);
547 	}
548 	while (dumpsize > 0) {
549 		nr = pread(fd, buf, wl, lasthd - (totsize - dumpsize) - wl);
550 		if (nr != wl) {
551 			if (nr == 0)
552 				logmsg(LOG_WARNING,
553 				    "WARNING: EOF on dump device");
554 			else
555 				logmsg(LOG_ERR, "read error on %s: %m", device);
556 			nerr++;
557 			return (-1);
558 		}
559 		nw = fwrite(buf, 1, wl, fp);
560 		if (nw != wl) {
561 			logmsg(LOG_ERR,
562 			    "write error on %s file: %m", filename);
563 			logmsg(LOG_WARNING,
564 			    "WARNING: textdump may be incomplete");
565 			nerr++;
566 			return (-1);
567 		}
568 		if (verbose) {
569 			dmpcnt += wl;
570 			printf("%llu\r", (unsigned long long)dmpcnt);
571 			fflush(stdout);
572 		}
573 		dumpsize -= wl;
574 	}
575 	return (0);
576 }
577 
578 static void
579 DoFile(const char *savedir, int savedirfd, const char *device)
580 {
581 	xo_handle_t *xostdout, *xoinfo;
582 	static char infoname[PATH_MAX], corename[PATH_MAX], linkname[PATH_MAX];
583 	static char keyname[PATH_MAX];
584 	static char *buf = NULL;
585 	char *temp = NULL;
586 	struct kerneldumpheader kdhf, kdhl;
587 	uint8_t *dumpkey;
588 	off_t mediasize, dumpextent, dumplength, firsthd, lasthd;
589 	FILE *core, *info;
590 	int fdcore, fddev, error;
591 	int bounds, status;
592 	u_int sectorsize, xostyle;
593 	uint32_t dumpkeysize;
594 	bool iscompressed, isencrypted, istextdump, ret;
595 
596 	bounds = getbounds(savedirfd);
597 	dumpkey = NULL;
598 	mediasize = 0;
599 	status = STATUS_UNKNOWN;
600 
601 	xostdout = xo_create_to_file(stdout, XO_STYLE_TEXT, 0);
602 	if (xostdout == NULL) {
603 		logmsg(LOG_ERR, "%s: %m", infoname);
604 		return;
605 	}
606 
607 	if (maxdumps > 0 && bounds == maxdumps)
608 		bounds = 0;
609 
610 	if (buf == NULL) {
611 		buf = malloc(BUFFERSIZE);
612 		if (buf == NULL) {
613 			logmsg(LOG_ERR, "%m");
614 			return;
615 		}
616 	}
617 
618 	if (verbose)
619 		printf("checking for kernel dump on device %s\n", device);
620 
621 	fddev = fileargs_open(capfa, device);
622 	if (fddev < 0) {
623 		logmsg(LOG_ERR, "%s: %m", device);
624 		return;
625 	}
626 
627 	error = ioctl(fddev, DIOCGMEDIASIZE, &mediasize);
628 	if (!error)
629 		error = ioctl(fddev, DIOCGSECTORSIZE, &sectorsize);
630 	if (error) {
631 		logmsg(LOG_ERR,
632 		    "couldn't find media and/or sector size of %s: %m", device);
633 		goto closefd;
634 	}
635 
636 	if (verbose) {
637 		printf("mediasize = %lld bytes\n", (long long)mediasize);
638 		printf("sectorsize = %u bytes\n", sectorsize);
639 	}
640 
641 	if (sectorsize < sizeof(kdhl)) {
642 		logmsg(LOG_ERR,
643 		    "Sector size is less the kernel dump header %zu",
644 		    sizeof(kdhl));
645 		goto closefd;
646 	}
647 
648 	lasthd = mediasize - sectorsize;
649 	temp = malloc(sectorsize);
650 	if (temp == NULL) {
651 		logmsg(LOG_ERR, "%m");
652 		goto closefd;
653 	}
654 	if (lseek(fddev, lasthd, SEEK_SET) != lasthd ||
655 	    read(fddev, temp, sectorsize) != (ssize_t)sectorsize) {
656 		logmsg(LOG_ERR,
657 		    "error reading last dump header at offset %lld in %s: %m",
658 		    (long long)lasthd, device);
659 		goto closefd;
660 	}
661 	memcpy(&kdhl, temp, sizeof(kdhl));
662 	iscompressed = istextdump = false;
663 	if (compare_magic(&kdhl, TEXTDUMPMAGIC)) {
664 		if (verbose)
665 			printf("textdump magic on last dump header on %s\n",
666 			    device);
667 		istextdump = true;
668 		if (dtoh32(kdhl.version) != KERNELDUMP_TEXT_VERSION) {
669 			logmsg(LOG_ERR,
670 			    "unknown version (%d) in last dump header on %s",
671 			    dtoh32(kdhl.version), device);
672 
673 			status = STATUS_BAD;
674 			if (force == 0)
675 				goto closefd;
676 		}
677 	} else if (compare_magic(&kdhl, KERNELDUMPMAGIC)) {
678 		if (dtoh32(kdhl.version) != KERNELDUMPVERSION) {
679 			logmsg(LOG_ERR,
680 			    "unknown version (%d) in last dump header on %s",
681 			    dtoh32(kdhl.version), device);
682 
683 			status = STATUS_BAD;
684 			if (force == 0)
685 				goto closefd;
686 		}
687 		switch (kdhl.compression) {
688 		case KERNELDUMP_COMP_NONE:
689 			break;
690 		case KERNELDUMP_COMP_GZIP:
691 		case KERNELDUMP_COMP_ZSTD:
692 			if (compress && verbose)
693 				printf("dump is already compressed\n");
694 			compress = false;
695 			iscompressed = true;
696 			break;
697 		default:
698 			logmsg(LOG_ERR, "unknown compression type %d on %s",
699 			    kdhl.compression, device);
700 			break;
701 		}
702 	} else {
703 		if (verbose)
704 			printf("magic mismatch on last dump header on %s\n",
705 			    device);
706 
707 		status = STATUS_BAD;
708 		if (force == 0)
709 			goto closefd;
710 
711 		if (compare_magic(&kdhl, KERNELDUMPMAGIC_CLEARED)) {
712 			if (verbose)
713 				printf("forcing magic on %s\n", device);
714 			memcpy(kdhl.magic, KERNELDUMPMAGIC, sizeof(kdhl.magic));
715 		} else {
716 			logmsg(LOG_ERR, "unable to force dump - bad magic");
717 			goto closefd;
718 		}
719 		if (dtoh32(kdhl.version) != KERNELDUMPVERSION) {
720 			logmsg(LOG_ERR,
721 			    "unknown version (%d) in last dump header on %s",
722 			    dtoh32(kdhl.version), device);
723 
724 			status = STATUS_BAD;
725 			if (force == 0)
726 				goto closefd;
727 		}
728 	}
729 
730 	nfound++;
731 	if (clear)
732 		goto nuke;
733 
734 	if (kerneldump_parity(&kdhl)) {
735 		logmsg(LOG_ERR,
736 		    "parity error on last dump header on %s", device);
737 		nerr++;
738 		status = STATUS_BAD;
739 		if (force == 0)
740 			goto closefd;
741 	}
742 	dumpextent = dtoh64(kdhl.dumpextent);
743 	dumplength = dtoh64(kdhl.dumplength);
744 	dumpkeysize = dtoh32(kdhl.dumpkeysize);
745 	firsthd = lasthd - dumpextent - sectorsize - dumpkeysize;
746 	if (lseek(fddev, firsthd, SEEK_SET) != firsthd ||
747 	    read(fddev, temp, sectorsize) != (ssize_t)sectorsize) {
748 		logmsg(LOG_ERR,
749 		    "error reading first dump header at offset %lld in %s: %m",
750 		    (long long)firsthd, device);
751 		nerr++;
752 		goto closefd;
753 	}
754 	memcpy(&kdhf, temp, sizeof(kdhf));
755 
756 	if (verbose >= 2) {
757 		printf("First dump headers:\n");
758 		printheader(xostdout, &kdhf, device, bounds, -1);
759 
760 		printf("\nLast dump headers:\n");
761 		printheader(xostdout, &kdhl, device, bounds, -1);
762 		printf("\n");
763 	}
764 
765 	if (memcmp(&kdhl, &kdhf, sizeof(kdhl))) {
766 		logmsg(LOG_ERR,
767 		    "first and last dump headers disagree on %s", device);
768 		nerr++;
769 		status = STATUS_BAD;
770 		if (force == 0)
771 			goto closefd;
772 	} else {
773 		status = STATUS_GOOD;
774 	}
775 
776 	if (checkfor) {
777 		printf("A dump exists on %s\n", device);
778 		close(fddev);
779 		exit(0);
780 	}
781 
782 	if (kdhl.panicstring[0] != '\0')
783 		logmsg(LOG_ALERT, "reboot after panic: %.*s",
784 		    (int)sizeof(kdhl.panicstring), kdhl.panicstring);
785 	else
786 		logmsg(LOG_ALERT, "reboot");
787 
788 	if (verbose)
789 		printf("Checking for available free space\n");
790 
791 	if (!check_space(savedir, savedirfd, dumplength, bounds)) {
792 		nerr++;
793 		goto closefd;
794 	}
795 
796 	writebounds(savedirfd, bounds + 1);
797 
798 	saved_dump_remove(savedirfd, bounds);
799 
800 	snprintf(infoname, sizeof(infoname), "info.%d", bounds);
801 
802 	/*
803 	 * Create or overwrite any existing dump header files.
804 	 */
805 	if ((info = xfopenat(savedirfd, infoname,
806 	    O_WRONLY | O_CREAT | O_TRUNC, "w", 0600)) == NULL) {
807 		logmsg(LOG_ERR, "open(%s): %m", infoname);
808 		nerr++;
809 		goto closefd;
810 	}
811 
812 	isencrypted = (dumpkeysize > 0);
813 	if (compress)
814 		snprintf(corename, sizeof(corename), "%s.%d.gz",
815 		    istextdump ? "textdump.tar" :
816 		    (isencrypted ? "vmcore_encrypted" : "vmcore"), bounds);
817 	else if (iscompressed && !isencrypted)
818 		snprintf(corename, sizeof(corename), "vmcore.%d.%s", bounds,
819 		    (kdhl.compression == KERNELDUMP_COMP_GZIP) ? "gz" : "zst");
820 	else
821 		snprintf(corename, sizeof(corename), "%s.%d",
822 		    istextdump ? "textdump.tar" :
823 		    (isencrypted ? "vmcore_encrypted" : "vmcore"), bounds);
824 	fdcore = openat(savedirfd, corename, O_WRONLY | O_CREAT | O_TRUNC,
825 	    0600);
826 	if (fdcore < 0) {
827 		logmsg(LOG_ERR, "open(%s): %m", corename);
828 		fclose(info);
829 		nerr++;
830 		goto closefd;
831 	}
832 
833 	if (compress)
834 		core = zdopen(fdcore, "w");
835 	else
836 		core = fdopen(fdcore, "w");
837 	if (core == NULL) {
838 		logmsg(LOG_ERR, "%s: %m", corename);
839 		(void)close(fdcore);
840 		(void)fclose(info);
841 		nerr++;
842 		goto closefd;
843 	}
844 	fdcore = -1;
845 
846 	xostyle = xo_get_style(NULL);
847 	xoinfo = xo_create_to_file(info, xostyle, 0);
848 	if (xoinfo == NULL) {
849 		logmsg(LOG_ERR, "%s: %m", infoname);
850 		fclose(info);
851 		nerr++;
852 		goto closeall;
853 	}
854 	xo_open_container_h(xoinfo, "crashdump");
855 
856 	if (verbose)
857 		printheader(xostdout, &kdhl, device, bounds, status);
858 
859 	printheader(xoinfo, &kdhl, device, bounds, status);
860 	xo_close_container_h(xoinfo, "crashdump");
861 	xo_flush_h(xoinfo);
862 	xo_finish_h(xoinfo);
863 	fclose(info);
864 
865 	if (isencrypted) {
866 		dumpkey = calloc(1, dumpkeysize);
867 		if (dumpkey == NULL) {
868 			logmsg(LOG_ERR, "Unable to allocate kernel dump key.");
869 			nerr++;
870 			goto closeall;
871 		}
872 
873 		if (read(fddev, dumpkey, dumpkeysize) != (ssize_t)dumpkeysize) {
874 			logmsg(LOG_ERR, "Unable to read kernel dump key: %m.");
875 			nerr++;
876 			goto closeall;
877 		}
878 
879 		snprintf(keyname, sizeof(keyname), "key.%d", bounds);
880 		ret = writekey(savedirfd, keyname, dumpkey, dumpkeysize);
881 		explicit_bzero(dumpkey, dumpkeysize);
882 		if (!ret) {
883 			nerr++;
884 			goto closeall;
885 		}
886 	}
887 
888 	logmsg(LOG_NOTICE, "writing %s%score to %s/%s",
889 	    isencrypted ? "encrypted " : "", compress ? "compressed " : "",
890 	    savedir, corename);
891 
892 	if (istextdump) {
893 		if (DoTextdumpFile(fddev, dumplength, lasthd, buf, device,
894 		    corename, core) < 0)
895 			goto closeall;
896 	} else {
897 		if (DoRegularFile(fddev, dumplength, sectorsize,
898 		    !(compress || iscompressed || isencrypted), buf, device,
899 		    corename, core) < 0) {
900 			goto closeall;
901 		}
902 	}
903 	if (verbose)
904 		printf("\n");
905 
906 	if (fclose(core) < 0) {
907 		logmsg(LOG_ERR, "error on %s: %m", corename);
908 		nerr++;
909 		goto closefd;
910 	}
911 
912 	symlinks_remove(savedirfd);
913 	if (symlinkat(infoname, savedirfd, "info.last") == -1) {
914 		logmsg(LOG_WARNING, "unable to create symlink %s/%s: %m",
915 		    savedir, "info.last");
916 	}
917 	if (isencrypted) {
918 		if (symlinkat(keyname, savedirfd, "key.last") == -1) {
919 			logmsg(LOG_WARNING,
920 			    "unable to create symlink %s/%s: %m", savedir,
921 			    "key.last");
922 		}
923 	}
924 	if (compress || iscompressed) {
925 		snprintf(linkname, sizeof(linkname), "%s.last.%s",
926 		    istextdump ? "textdump.tar" :
927 		    (isencrypted ? "vmcore_encrypted" : "vmcore"),
928 		    (kdhl.compression == KERNELDUMP_COMP_ZSTD) ? "zst" : "gz");
929 	} else {
930 		snprintf(linkname, sizeof(linkname), "%s.last",
931 		    istextdump ? "textdump.tar" :
932 		    (isencrypted ? "vmcore_encrypted" : "vmcore"));
933 	}
934 	if (symlinkat(corename, savedirfd, linkname) == -1) {
935 		logmsg(LOG_WARNING, "unable to create symlink %s/%s: %m",
936 		    savedir, linkname);
937 	}
938 
939 	nsaved++;
940 
941 	if (verbose)
942 		printf("dump saved\n");
943 
944 nuke:
945 	if (!keep) {
946 		if (verbose)
947 			printf("clearing dump header\n");
948 		memcpy(kdhl.magic, KERNELDUMPMAGIC_CLEARED, sizeof(kdhl.magic));
949 		memcpy(temp, &kdhl, sizeof(kdhl));
950 		if (lseek(fddev, lasthd, SEEK_SET) != lasthd ||
951 		    write(fddev, temp, sectorsize) != (ssize_t)sectorsize)
952 			logmsg(LOG_ERR,
953 			    "error while clearing the dump header: %m");
954 	}
955 	xo_close_container_h(xostdout, "crashdump");
956 	xo_finish_h(xostdout);
957 	free(dumpkey);
958 	free(temp);
959 	close(fddev);
960 	return;
961 
962 closeall:
963 	fclose(core);
964 
965 closefd:
966 	free(dumpkey);
967 	free(temp);
968 	close(fddev);
969 }
970 
971 static char **
972 enum_dumpdevs(int *argcp)
973 {
974 	struct fstab *fsp;
975 	char **argv;
976 	int argc, n;
977 
978 	/*
979 	 * We cannot use getfsent(3) in capability mode, so we must
980 	 * scan /etc/fstab and build up a list of candidate devices
981 	 * before proceeding.
982 	 */
983 	argc = 0;
984 	n = 8;
985 	argv = malloc(n * sizeof(*argv));
986 	if (argv == NULL) {
987 		logmsg(LOG_ERR, "malloc(): %m");
988 		exit(1);
989 	}
990 	for (;;) {
991 		fsp = getfsent();
992 		if (fsp == NULL)
993 			break;
994 		if (strcmp(fsp->fs_vfstype, "swap") != 0 &&
995 		    strcmp(fsp->fs_vfstype, "dump") != 0)
996 			continue;
997 		if (argc >= n) {
998 			n *= 2;
999 			argv = realloc(argv, n * sizeof(*argv));
1000 			if (argv == NULL) {
1001 				logmsg(LOG_ERR, "realloc(): %m");
1002 				exit(1);
1003 			}
1004 		}
1005 		argv[argc] = strdup(fsp->fs_spec);
1006 		if (argv[argc] == NULL) {
1007 			logmsg(LOG_ERR, "strdup(): %m");
1008 			exit(1);
1009 		}
1010 		argc++;
1011 	}
1012 	*argcp = argc;
1013 	return (argv);
1014 }
1015 
1016 static void
1017 init_caps(int argc, char **argv)
1018 {
1019 	cap_rights_t rights;
1020 	cap_channel_t *capcas;
1021 
1022 	capcas = cap_init();
1023 	if (capcas == NULL) {
1024 		logmsg(LOG_ERR, "cap_init(): %m");
1025 		exit(1);
1026 	}
1027 	/*
1028 	 * The fileargs capability does not currently provide a way to limit
1029 	 * ioctls.
1030 	 */
1031 	(void)cap_rights_init(&rights, CAP_PREAD, CAP_WRITE, CAP_IOCTL);
1032 	capfa = fileargs_init(argc, argv, checkfor || keep ? O_RDONLY : O_RDWR,
1033 	    0, &rights, FA_OPEN);
1034 	if (capfa == NULL) {
1035 		logmsg(LOG_ERR, "fileargs_init(): %m");
1036 		exit(1);
1037 	}
1038 	caph_cache_catpages();
1039 	caph_cache_tzdata();
1040 	if (caph_enter_casper() != 0) {
1041 		logmsg(LOG_ERR, "caph_enter_casper(): %m");
1042 		exit(1);
1043 	}
1044 	capsyslog = cap_service_open(capcas, "system.syslog");
1045 	if (capsyslog == NULL) {
1046 		logmsg(LOG_ERR, "cap_service_open(system.syslog): %m");
1047 		exit(1);
1048 	}
1049 	cap_close(capcas);
1050 }
1051 
1052 static void
1053 usage(void)
1054 {
1055 	xo_error("%s\n%s\n%s\n",
1056 	    "usage: savecore -c [-v] [device ...]",
1057 	    "       savecore -C [-v] [device ...]",
1058 	    "       savecore [-fkvz] [-m maxdumps] [directory [device ...]]");
1059 	exit(1);
1060 }
1061 
1062 int
1063 main(int argc, char **argv)
1064 {
1065 	cap_rights_t rights;
1066 	const char *savedir;
1067 	int i, ch, error, savedirfd;
1068 
1069 	checkfor = compress = clear = force = keep = verbose = 0;
1070 	nfound = nsaved = nerr = 0;
1071 	savedir = ".";
1072 
1073 	openlog("savecore", LOG_PERROR, LOG_DAEMON);
1074 	signal(SIGINFO, infohandler);
1075 
1076 	argc = xo_parse_args(argc, argv);
1077 	if (argc < 0)
1078 		exit(1);
1079 
1080 	while ((ch = getopt(argc, argv, "Ccfkm:vz")) != -1)
1081 		switch(ch) {
1082 		case 'C':
1083 			checkfor = 1;
1084 			break;
1085 		case 'c':
1086 			clear = 1;
1087 			break;
1088 		case 'f':
1089 			force = 1;
1090 			break;
1091 		case 'k':
1092 			keep = 1;
1093 			break;
1094 		case 'm':
1095 			maxdumps = atoi(optarg);
1096 			if (maxdumps <= 0) {
1097 				logmsg(LOG_ERR, "Invalid maxdump value");
1098 				exit(1);
1099 			}
1100 			break;
1101 		case 'v':
1102 			verbose++;
1103 			break;
1104 		case 'z':
1105 			compress = 1;
1106 			break;
1107 		case '?':
1108 		default:
1109 			usage();
1110 		}
1111 	if (checkfor && (clear || force || keep))
1112 		usage();
1113 	if (clear && (compress || keep))
1114 		usage();
1115 	if (maxdumps > 0 && (checkfor || clear))
1116 		usage();
1117 	argc -= optind;
1118 	argv += optind;
1119 	if (argc >= 1 && !checkfor && !clear) {
1120 		error = chdir(argv[0]);
1121 		if (error) {
1122 			logmsg(LOG_ERR, "chdir(%s): %m", argv[0]);
1123 			exit(1);
1124 		}
1125 		savedir = argv[0];
1126 		argc--;
1127 		argv++;
1128 	}
1129 	if (argc == 0)
1130 		argv = enum_dumpdevs(&argc);
1131 
1132 	savedirfd = open(savedir, O_RDONLY | O_DIRECTORY);
1133 	if (savedirfd < 0) {
1134 		logmsg(LOG_ERR, "open(%s): %m", savedir);
1135 		exit(1);
1136 	}
1137 	(void)cap_rights_init(&rights, CAP_CREATE, CAP_FCNTL, CAP_FSTATAT,
1138 	    CAP_FSTATFS, CAP_PREAD, CAP_SYMLINKAT, CAP_FTRUNCATE, CAP_UNLINKAT,
1139 	    CAP_WRITE);
1140 	if (caph_rights_limit(savedirfd, &rights) < 0) {
1141 		logmsg(LOG_ERR, "cap_rights_limit(): %m");
1142 		exit(1);
1143 	}
1144 
1145 	/* Enter capability mode. */
1146 	init_caps(argc, argv);
1147 
1148 	for (i = 0; i < argc; i++)
1149 		DoFile(savedir, savedirfd, argv[i]);
1150 
1151 	/* Emit minimal output. */
1152 	if (nfound == 0) {
1153 		if (checkfor) {
1154 			if (verbose)
1155 				printf("No dump exists\n");
1156 			exit(1);
1157 		}
1158 		if (verbose)
1159 			logmsg(LOG_WARNING, "no dumps found");
1160 	} else if (nsaved == 0) {
1161 		if (nerr != 0) {
1162 			if (verbose)
1163 				logmsg(LOG_WARNING,
1164 				    "unsaved dumps found but not saved");
1165 			exit(1);
1166 		} else if (verbose)
1167 			logmsg(LOG_WARNING, "no unsaved dumps found");
1168 	}
1169 
1170 	return (0);
1171 }
1172 
1173 static void
1174 infohandler(int sig __unused)
1175 {
1176 	got_siginfo = 1;
1177 }
1178