1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD 3 * 4 * Copyright (c) 2011, David E. O'Brien. 5 * Copyright (c) 2009-2011, Juniper Networks, Inc. 6 * Copyright (c) 2015-2016, EMC Corp. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY JUNIPER NETWORKS AND CONTRIBUTORS ``AS IS'' AND 19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL JUNIPER NETWORKS OR CONTRIBUTORS BE LIABLE 22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28 * SUCH DAMAGE. 29 */ 30 31 #include <sys/cdefs.h> 32 __FBSDID("$FreeBSD$"); 33 34 #include "opt_compat.h" 35 36 #include <sys/param.h> 37 #include <sys/file.h> 38 #include <sys/systm.h> 39 #include <sys/buf.h> 40 #include <sys/capsicum.h> 41 #include <sys/condvar.h> 42 #include <sys/conf.h> 43 #include <sys/fcntl.h> 44 #include <sys/ioccom.h> 45 #include <sys/kernel.h> 46 #include <sys/lock.h> 47 #include <sys/malloc.h> 48 #include <sys/module.h> 49 #include <sys/poll.h> 50 #include <sys/proc.h> 51 #include <sys/sx.h> 52 #include <sys/syscall.h> 53 #include <sys/sysent.h> 54 #include <sys/sysproto.h> 55 #include <sys/uio.h> 56 57 #include "filemon.h" 58 59 #if defined(COMPAT_FREEBSD32) 60 #include <compat/freebsd32/freebsd32_syscall.h> 61 #include <compat/freebsd32/freebsd32_proto.h> 62 #include <compat/freebsd32/freebsd32_util.h> 63 #endif 64 65 static d_close_t filemon_close; 66 static d_ioctl_t filemon_ioctl; 67 static d_open_t filemon_open; 68 69 static struct cdevsw filemon_cdevsw = { 70 .d_version = D_VERSION, 71 .d_close = filemon_close, 72 .d_ioctl = filemon_ioctl, 73 .d_open = filemon_open, 74 .d_name = "filemon", 75 }; 76 77 MALLOC_DECLARE(M_FILEMON); 78 MALLOC_DEFINE(M_FILEMON, "filemon", "File access monitor"); 79 80 /* 81 * The filemon->lock protects several things currently: 82 * - fname1/fname2/msgbufr are pre-allocated and used per syscall 83 * for logging and copyins rather than stack variables. 84 * - Serializing the filemon's log output. 85 * - Preventing inheritance or removal of the filemon into proc.p_filemon. 86 */ 87 struct filemon { 88 struct sx lock; /* Lock for this filemon. */ 89 struct file *fp; /* Output file pointer. */ 90 struct ucred *cred; /* Credential of tracer. */ 91 char fname1[MAXPATHLEN]; /* Temporary filename buffer. */ 92 char fname2[MAXPATHLEN]; /* Temporary filename buffer. */ 93 char msgbufr[1024]; /* Output message buffer. */ 94 int error; /* Log write error, returned on close(2). */ 95 u_int refcnt; /* Pointer reference count. */ 96 u_int proccnt; /* Process count. */ 97 }; 98 99 static struct cdev *filemon_dev; 100 static void filemon_output(struct filemon *filemon, char *msg, size_t len); 101 102 static __inline struct filemon * 103 filemon_acquire(struct filemon *filemon) 104 { 105 106 if (filemon != NULL) 107 refcount_acquire(&filemon->refcnt); 108 return (filemon); 109 } 110 111 /* 112 * Release a reference and free on the last one. 113 */ 114 static void 115 filemon_release(struct filemon *filemon) 116 { 117 118 if (refcount_release(&filemon->refcnt) == 0) 119 return; 120 /* 121 * There are valid cases of releasing while locked, such as in 122 * filemon_untrack_processes, but none which are done where there 123 * is not at least 1 reference remaining. 124 */ 125 sx_assert(&filemon->lock, SA_UNLOCKED); 126 127 if (filemon->cred != NULL) 128 crfree(filemon->cred); 129 sx_destroy(&filemon->lock); 130 free(filemon, M_FILEMON); 131 } 132 133 /* 134 * Acquire the proc's p_filemon reference and lock the filemon. 135 * The proc's p_filemon may not match this filemon on return. 136 */ 137 static struct filemon * 138 filemon_proc_get(struct proc *p) 139 { 140 struct filemon *filemon; 141 142 if (p->p_filemon == NULL) 143 return (NULL); 144 PROC_LOCK(p); 145 filemon = filemon_acquire(p->p_filemon); 146 PROC_UNLOCK(p); 147 148 if (filemon == NULL) 149 return (NULL); 150 /* 151 * The p->p_filemon may have changed by now. That case is handled 152 * by the exit and fork hooks and filemon_attach_proc specially. 153 */ 154 sx_xlock(&filemon->lock); 155 return (filemon); 156 } 157 158 /* Remove and release the filemon on the given process. */ 159 static void 160 filemon_proc_drop(struct proc *p) 161 { 162 struct filemon *filemon; 163 164 KASSERT(p->p_filemon != NULL, ("%s: proc %p NULL p_filemon", 165 __func__, p)); 166 sx_assert(&p->p_filemon->lock, SA_XLOCKED); 167 PROC_LOCK(p); 168 filemon = p->p_filemon; 169 p->p_filemon = NULL; 170 --filemon->proccnt; 171 PROC_UNLOCK(p); 172 /* 173 * This should not be the last reference yet. filemon_release() 174 * cannot be called with filemon locked, which the caller expects 175 * will stay locked. 176 */ 177 KASSERT(filemon->refcnt > 1, ("%s: proc %p dropping filemon %p " 178 "with last reference", __func__, p, filemon)); 179 filemon_release(filemon); 180 } 181 182 /* Unlock and release the filemon. */ 183 static __inline void 184 filemon_drop(struct filemon *filemon) 185 { 186 187 sx_xunlock(&filemon->lock); 188 filemon_release(filemon); 189 } 190 191 #include "filemon_wrapper.c" 192 193 static void 194 filemon_write_header(struct filemon *filemon) 195 { 196 int len; 197 struct timeval now; 198 199 getmicrotime(&now); 200 201 len = snprintf(filemon->msgbufr, sizeof(filemon->msgbufr), 202 "# filemon version %d\n# Target pid %d\n# Start %ju.%06ju\nV %d\n", 203 FILEMON_VERSION, curproc->p_pid, (uintmax_t)now.tv_sec, 204 (uintmax_t)now.tv_usec, FILEMON_VERSION); 205 206 filemon_output(filemon, filemon->msgbufr, len); 207 } 208 209 /* 210 * Invalidate the passed filemon in all processes. 211 */ 212 static void 213 filemon_untrack_processes(struct filemon *filemon) 214 { 215 struct proc *p; 216 217 sx_assert(&filemon->lock, SA_XLOCKED); 218 219 /* Avoid allproc loop if there is no need. */ 220 if (filemon->proccnt == 0) 221 return; 222 223 /* 224 * Processes in this list won't go away while here since 225 * filemon_event_process_exit() will lock on filemon->lock 226 * which we hold. 227 */ 228 sx_slock(&allproc_lock); 229 FOREACH_PROC_IN_SYSTEM(p) { 230 /* 231 * No PROC_LOCK is needed to compare here since it is 232 * guaranteed to not change since we have its filemon 233 * locked. Everything that changes this p_filemon will 234 * be locked on it. 235 */ 236 if (p->p_filemon == filemon) 237 filemon_proc_drop(p); 238 } 239 sx_sunlock(&allproc_lock); 240 241 /* 242 * It's possible some references were acquired but will be 243 * dropped shortly as they are restricted from being 244 * inherited. There is at least the reference in cdevpriv remaining. 245 */ 246 KASSERT(filemon->refcnt > 0, ("%s: filemon %p should have " 247 "references still.", __func__, filemon)); 248 KASSERT(filemon->proccnt == 0, ("%s: filemon %p should not have " 249 "attached procs still.", __func__, filemon)); 250 } 251 252 /* 253 * Close out the log. 254 */ 255 static void 256 filemon_close_log(struct filemon *filemon) 257 { 258 struct file *fp; 259 struct timeval now; 260 size_t len; 261 262 sx_assert(&filemon->lock, SA_XLOCKED); 263 if (filemon->fp == NULL) 264 return; 265 266 getmicrotime(&now); 267 268 len = snprintf(filemon->msgbufr, 269 sizeof(filemon->msgbufr), 270 "# Stop %ju.%06ju\n# Bye bye\n", 271 (uintmax_t)now.tv_sec, (uintmax_t)now.tv_usec); 272 273 filemon_output(filemon, filemon->msgbufr, len); 274 fp = filemon->fp; 275 filemon->fp = NULL; 276 277 sx_xunlock(&filemon->lock); 278 fdrop(fp, curthread); 279 sx_xlock(&filemon->lock); 280 } 281 282 /* 283 * The devfs file is being closed. Untrace all processes. It is possible 284 * filemon_close/close(2) was not called. 285 */ 286 static void 287 filemon_dtr(void *data) 288 { 289 struct filemon *filemon = data; 290 291 if (filemon == NULL) 292 return; 293 294 sx_xlock(&filemon->lock); 295 /* 296 * Detach the filemon. It cannot be inherited after this. 297 */ 298 filemon_untrack_processes(filemon); 299 filemon_close_log(filemon); 300 filemon_drop(filemon); 301 } 302 303 /* Attach the filemon to the process. */ 304 static int 305 filemon_attach_proc(struct filemon *filemon, struct proc *p) 306 { 307 struct filemon *filemon2; 308 309 sx_assert(&filemon->lock, SA_XLOCKED); 310 PROC_LOCK_ASSERT(p, MA_OWNED); 311 KASSERT((p->p_flag & P_WEXIT) == 0, 312 ("%s: filemon %p attaching to exiting process %p", 313 __func__, filemon, p)); 314 KASSERT((p->p_flag & P_INEXEC) == 0, 315 ("%s: filemon %p attaching to execing process %p", 316 __func__, filemon, p)); 317 318 if (p->p_filemon == filemon) 319 return (0); 320 /* 321 * Don't allow truncating other process traces. It is 322 * not really intended to trace procs other than curproc 323 * anyhow. 324 */ 325 if (p->p_filemon != NULL && p != curproc) 326 return (EBUSY); 327 /* 328 * Historic behavior of filemon has been to let a child initiate 329 * tracing on itself and cease existing tracing. Bmake 330 * .META + .MAKE relies on this. It is only relevant for attaching to 331 * curproc. 332 */ 333 while (p->p_filemon != NULL) { 334 PROC_UNLOCK(p); 335 sx_xunlock(&filemon->lock); 336 while ((filemon2 = filemon_proc_get(p)) != NULL) { 337 /* It may have changed. */ 338 if (p->p_filemon == filemon2) 339 filemon_proc_drop(p); 340 filemon_drop(filemon2); 341 } 342 sx_xlock(&filemon->lock); 343 PROC_LOCK(p); 344 /* 345 * It may have been attached to, though unlikely. 346 * Try again if needed. 347 */ 348 } 349 350 KASSERT(p->p_filemon == NULL, 351 ("%s: proc %p didn't detach filemon %p", __func__, p, 352 p->p_filemon)); 353 p->p_filemon = filemon_acquire(filemon); 354 ++filemon->proccnt; 355 356 return (0); 357 } 358 359 static int 360 filemon_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag __unused, 361 struct thread *td) 362 { 363 int error = 0; 364 struct filemon *filemon; 365 struct proc *p; 366 cap_rights_t rights; 367 368 if ((error = devfs_get_cdevpriv((void **) &filemon)) != 0) 369 return (error); 370 371 sx_xlock(&filemon->lock); 372 373 switch (cmd) { 374 /* Set the output file descriptor. */ 375 case FILEMON_SET_FD: 376 if (filemon->fp != NULL) { 377 error = EEXIST; 378 break; 379 } 380 381 error = fget_write(td, *(int *)data, 382 cap_rights_init(&rights, CAP_PWRITE), 383 &filemon->fp); 384 if (error == 0) 385 /* Write the file header. */ 386 filemon_write_header(filemon); 387 break; 388 389 /* Set the monitored process ID. */ 390 case FILEMON_SET_PID: 391 /* Invalidate any existing processes already set. */ 392 filemon_untrack_processes(filemon); 393 394 error = pget(*((pid_t *)data), 395 PGET_CANDEBUG | PGET_NOTWEXIT | PGET_NOTINEXEC, &p); 396 if (error == 0) { 397 KASSERT(p->p_filemon != filemon, 398 ("%s: proc %p didn't untrack filemon %p", 399 __func__, p, filemon)); 400 error = filemon_attach_proc(filemon, p); 401 PROC_UNLOCK(p); 402 } 403 break; 404 405 default: 406 error = EINVAL; 407 break; 408 } 409 410 sx_xunlock(&filemon->lock); 411 return (error); 412 } 413 414 static int 415 filemon_open(struct cdev *dev, int oflags __unused, int devtype __unused, 416 struct thread *td) 417 { 418 int error; 419 struct filemon *filemon; 420 421 filemon = malloc(sizeof(*filemon), M_FILEMON, 422 M_WAITOK | M_ZERO); 423 sx_init(&filemon->lock, "filemon"); 424 refcount_init(&filemon->refcnt, 1); 425 filemon->cred = crhold(td->td_ucred); 426 427 error = devfs_set_cdevpriv(filemon, filemon_dtr); 428 if (error != 0) 429 filemon_release(filemon); 430 431 return (error); 432 } 433 434 /* Called on close of last devfs file handle, before filemon_dtr(). */ 435 static int 436 filemon_close(struct cdev *dev __unused, int flag __unused, int fmt __unused, 437 struct thread *td __unused) 438 { 439 struct filemon *filemon; 440 int error; 441 442 if ((error = devfs_get_cdevpriv((void **) &filemon)) != 0) 443 return (error); 444 445 sx_xlock(&filemon->lock); 446 filemon_close_log(filemon); 447 error = filemon->error; 448 sx_xunlock(&filemon->lock); 449 /* 450 * Processes are still being traced but won't log anything 451 * now. After this call returns filemon_dtr() is called which 452 * will detach processes. 453 */ 454 455 return (error); 456 } 457 458 static void 459 filemon_load(void *dummy __unused) 460 { 461 462 /* Install the syscall wrappers. */ 463 filemon_wrapper_install(); 464 465 filemon_dev = make_dev(&filemon_cdevsw, 0, UID_ROOT, GID_WHEEL, 0666, 466 "filemon"); 467 } 468 469 static int 470 filemon_unload(void) 471 { 472 473 destroy_dev(filemon_dev); 474 filemon_wrapper_deinstall(); 475 476 return (0); 477 } 478 479 static int 480 filemon_modevent(module_t mod __unused, int type, void *data) 481 { 482 int error = 0; 483 484 switch (type) { 485 case MOD_LOAD: 486 filemon_load(data); 487 break; 488 489 case MOD_UNLOAD: 490 error = filemon_unload(); 491 break; 492 493 case MOD_QUIESCE: 494 /* 495 * The wrapper implementation is unsafe for reliable unload. 496 * Require forcing an unload. 497 */ 498 error = EBUSY; 499 break; 500 501 case MOD_SHUTDOWN: 502 break; 503 504 default: 505 error = EOPNOTSUPP; 506 break; 507 508 } 509 510 return (error); 511 } 512 513 DEV_MODULE(filemon, filemon_modevent, NULL); 514 MODULE_VERSION(filemon, 1); 515