xref: /freebsd/sys/dev/filemon/filemon.c (revision b2d2a78ad80ec68d4a17f5aef97d21686cb1e29b)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause
3  *
4  * Copyright (c) 2011, David E. O'Brien.
5  * Copyright (c) 2009-2011, Juniper Networks, Inc.
6  * Copyright (c) 2015-2016, EMC Corp.
7  * All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in the
16  *    documentation and/or other materials provided with the distribution.
17  *
18  * THIS SOFTWARE IS PROVIDED BY JUNIPER NETWORKS AND CONTRIBUTORS ``AS IS'' AND
19  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21  * ARE DISCLAIMED. IN NO EVENT SHALL JUNIPER NETWORKS OR CONTRIBUTORS BE LIABLE
22  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28  * SUCH DAMAGE.
29  */
30 
31 #include <sys/param.h>
32 #include <sys/file.h>
33 #include <sys/systm.h>
34 #include <sys/buf.h>
35 #include <sys/capsicum.h>
36 #include <sys/condvar.h>
37 #include <sys/conf.h>
38 #include <sys/fcntl.h>
39 #include <sys/ioccom.h>
40 #include <sys/kernel.h>
41 #include <sys/lock.h>
42 #include <sys/malloc.h>
43 #include <sys/module.h>
44 #include <sys/poll.h>
45 #include <sys/proc.h>
46 #include <sys/sx.h>
47 #include <sys/syscall.h>
48 #include <sys/sysent.h>
49 #include <sys/sysproto.h>
50 #include <sys/uio.h>
51 
52 #include "filemon.h"
53 
54 #if defined(COMPAT_FREEBSD32)
55 #include <compat/freebsd32/freebsd32_syscall.h>
56 #include <compat/freebsd32/freebsd32_proto.h>
57 #include <compat/freebsd32/freebsd32_util.h>
58 #endif
59 
60 static d_close_t	filemon_close;
61 static d_ioctl_t	filemon_ioctl;
62 static d_open_t		filemon_open;
63 
64 static struct cdevsw filemon_cdevsw = {
65 	.d_version	= D_VERSION,
66 	.d_close	= filemon_close,
67 	.d_ioctl	= filemon_ioctl,
68 	.d_open		= filemon_open,
69 	.d_name		= "filemon",
70 };
71 
72 MALLOC_DECLARE(M_FILEMON);
73 MALLOC_DEFINE(M_FILEMON, "filemon", "File access monitor");
74 
75 /*
76  * The filemon->lock protects several things currently:
77  * - fname1/fname2/msgbufr are pre-allocated and used per syscall
78  *   for logging and copyins rather than stack variables.
79  * - Serializing the filemon's log output.
80  * - Preventing inheritance or removal of the filemon into proc.p_filemon.
81  */
82 struct filemon {
83 	struct sx	lock;		/* Lock for this filemon. */
84 	struct file	*fp;		/* Output file pointer. */
85 	struct ucred	*cred;		/* Credential of tracer. */
86 	char		fname1[MAXPATHLEN]; /* Temporary filename buffer. */
87 	char		fname2[MAXPATHLEN]; /* Temporary filename buffer. */
88 	char		msgbufr[2*MAXPATHLEN + 100];	/* Output message buffer. */
89 	int		error;		/* Log write error, returned on close(2). */
90 	u_int		refcnt;		/* Pointer reference count. */
91 	u_int		proccnt;	/* Process count. */
92 };
93 
94 static struct cdev *filemon_dev;
95 static void filemon_output(struct filemon *filemon, char *msg, size_t len);
96 
97 static __inline struct filemon *
98 filemon_acquire(struct filemon *filemon)
99 {
100 
101 	if (filemon != NULL)
102 		refcount_acquire(&filemon->refcnt);
103 	return (filemon);
104 }
105 
106 /*
107  * Release a reference and free on the last one.
108  */
109 static void
110 filemon_release(struct filemon *filemon)
111 {
112 
113 	if (refcount_release(&filemon->refcnt) == 0)
114 		return;
115 	/*
116 	 * There are valid cases of releasing while locked, such as in
117 	 * filemon_untrack_processes, but none which are done where there
118 	 * is not at least 1 reference remaining.
119 	 */
120 	sx_assert(&filemon->lock, SA_UNLOCKED);
121 
122 	if (filemon->cred != NULL)
123 		crfree(filemon->cred);
124 	sx_destroy(&filemon->lock);
125 	free(filemon, M_FILEMON);
126 }
127 
128 /*
129  * Acquire the proc's p_filemon reference and lock the filemon.
130  * The proc's p_filemon may not match this filemon on return.
131  */
132 static struct filemon *
133 filemon_proc_get(struct proc *p)
134 {
135 	struct filemon *filemon;
136 
137 	if (p->p_filemon == NULL)
138 		return (NULL);
139 	PROC_LOCK(p);
140 	filemon = filemon_acquire(p->p_filemon);
141 	PROC_UNLOCK(p);
142 
143 	if (filemon == NULL)
144 		return (NULL);
145 	/*
146 	 * The p->p_filemon may have changed by now.  That case is handled
147 	 * by the exit and fork hooks and filemon_attach_proc specially.
148 	 */
149 	sx_xlock(&filemon->lock);
150 	return (filemon);
151 }
152 
153 /* Remove and release the filemon on the given process. */
154 static void
155 filemon_proc_drop(struct proc *p)
156 {
157 	struct filemon *filemon;
158 
159 	KASSERT(p->p_filemon != NULL, ("%s: proc %p NULL p_filemon",
160 	    __func__, p));
161 	sx_assert(&p->p_filemon->lock, SA_XLOCKED);
162 	PROC_LOCK(p);
163 	filemon = p->p_filemon;
164 	p->p_filemon = NULL;
165 	--filemon->proccnt;
166 	PROC_UNLOCK(p);
167 	/*
168 	 * This should not be the last reference yet.  filemon_release()
169 	 * cannot be called with filemon locked, which the caller expects
170 	 * will stay locked.
171 	 */
172 	KASSERT(filemon->refcnt > 1, ("%s: proc %p dropping filemon %p "
173 	    "with last reference", __func__, p, filemon));
174 	filemon_release(filemon);
175 }
176 
177 /* Unlock and release the filemon. */
178 static __inline void
179 filemon_drop(struct filemon *filemon)
180 {
181 
182 	sx_xunlock(&filemon->lock);
183 	filemon_release(filemon);
184 }
185 
186 #include "filemon_wrapper.c"
187 
188 static void
189 filemon_write_header(struct filemon *filemon)
190 {
191 	int len;
192 	struct timeval now;
193 
194 	getmicrotime(&now);
195 
196 	len = snprintf(filemon->msgbufr, sizeof(filemon->msgbufr),
197 	    "# filemon version %d\n# Target pid %d\n# Start %ju.%06ju\nV %d\n",
198 	    FILEMON_VERSION, curproc->p_pid, (uintmax_t)now.tv_sec,
199 	    (uintmax_t)now.tv_usec, FILEMON_VERSION);
200 	if (len < sizeof(filemon->msgbufr))
201 		filemon_output(filemon, filemon->msgbufr, len);
202 }
203 
204 /*
205  * Invalidate the passed filemon in all processes.
206  */
207 static void
208 filemon_untrack_processes(struct filemon *filemon)
209 {
210 	struct proc *p;
211 
212 	sx_assert(&filemon->lock, SA_XLOCKED);
213 
214 	/* Avoid allproc loop if there is no need. */
215 	if (filemon->proccnt == 0)
216 		return;
217 
218 	/*
219 	 * Processes in this list won't go away while here since
220 	 * filemon_event_process_exit() will lock on filemon->lock
221 	 * which we hold.
222 	 */
223 	sx_slock(&allproc_lock);
224 	FOREACH_PROC_IN_SYSTEM(p) {
225 		/*
226 		 * No PROC_LOCK is needed to compare here since it is
227 		 * guaranteed to not change since we have its filemon
228 		 * locked.  Everything that changes this p_filemon will
229 		 * be locked on it.
230 		 */
231 		if (p->p_filemon == filemon)
232 			filemon_proc_drop(p);
233 	}
234 	sx_sunlock(&allproc_lock);
235 
236 	/*
237 	 * It's possible some references were acquired but will be
238 	 * dropped shortly as they are restricted from being
239 	 * inherited.  There is at least the reference in cdevpriv remaining.
240 	 */
241 	KASSERT(filemon->refcnt > 0, ("%s: filemon %p should have "
242 	    "references still.", __func__, filemon));
243 	KASSERT(filemon->proccnt == 0, ("%s: filemon %p should not have "
244 	    "attached procs still.", __func__, filemon));
245 }
246 
247 /*
248  * Close out the log.
249  */
250 static void
251 filemon_close_log(struct filemon *filemon)
252 {
253 	struct file *fp;
254 	struct timeval now;
255 	size_t len;
256 
257 	sx_assert(&filemon->lock, SA_XLOCKED);
258 	if (filemon->fp == NULL)
259 		return;
260 
261 	getmicrotime(&now);
262 
263 	len = snprintf(filemon->msgbufr,
264 	    sizeof(filemon->msgbufr),
265 	    "# Stop %ju.%06ju\n# Bye bye\n",
266 	    (uintmax_t)now.tv_sec, (uintmax_t)now.tv_usec);
267 
268 	if (len < sizeof(filemon->msgbufr))
269 		filemon_output(filemon, filemon->msgbufr, len);
270 	fp = filemon->fp;
271 	filemon->fp = NULL;
272 
273 	sx_xunlock(&filemon->lock);
274 	fdrop(fp, curthread);
275 	sx_xlock(&filemon->lock);
276 }
277 
278 /*
279  * The devfs file is being closed.  Untrace all processes.  It is possible
280  * filemon_close/close(2) was not called.
281  */
282 static void
283 filemon_dtr(void *data)
284 {
285 	struct filemon *filemon = data;
286 
287 	if (filemon == NULL)
288 		return;
289 
290 	sx_xlock(&filemon->lock);
291 	/*
292 	 * Detach the filemon.  It cannot be inherited after this.
293 	 */
294 	filemon_untrack_processes(filemon);
295 	filemon_close_log(filemon);
296 	filemon_drop(filemon);
297 }
298 
299 /* Attach the filemon to the process. */
300 static int
301 filemon_attach_proc(struct filemon *filemon, struct proc *p)
302 {
303 	struct filemon *filemon2;
304 
305 	sx_assert(&filemon->lock, SA_XLOCKED);
306 	PROC_LOCK_ASSERT(p, MA_OWNED);
307 	KASSERT((p->p_flag & P_WEXIT) == 0,
308 	    ("%s: filemon %p attaching to exiting process %p",
309 	    __func__, filemon, p));
310 	KASSERT((p->p_flag & P_INEXEC) == 0,
311 	    ("%s: filemon %p attaching to execing process %p",
312 	    __func__, filemon, p));
313 
314 	if (p->p_filemon == filemon)
315 		return (0);
316 	/*
317 	 * Don't allow truncating other process traces.  It is
318 	 * not really intended to trace procs other than curproc
319 	 * anyhow.
320 	 */
321 	if (p->p_filemon != NULL && p != curproc)
322 		return (EBUSY);
323 	/*
324 	 * Historic behavior of filemon has been to let a child initiate
325 	 * tracing on itself and cease existing tracing.  Bmake
326 	 * .META + .MAKE relies on this.  It is only relevant for attaching to
327 	 * curproc.
328 	 */
329 	while (p->p_filemon != NULL) {
330 		PROC_UNLOCK(p);
331 		sx_xunlock(&filemon->lock);
332 		while ((filemon2 = filemon_proc_get(p)) != NULL) {
333 			/* It may have changed. */
334 			if (p->p_filemon == filemon2)
335 				filemon_proc_drop(p);
336 			filemon_drop(filemon2);
337 		}
338 		sx_xlock(&filemon->lock);
339 		PROC_LOCK(p);
340 		/*
341 		 * It may have been attached to, though unlikely.
342 		 * Try again if needed.
343 		 */
344 	}
345 
346 	KASSERT(p->p_filemon == NULL,
347 	    ("%s: proc %p didn't detach filemon %p", __func__, p,
348 	    p->p_filemon));
349 	p->p_filemon = filemon_acquire(filemon);
350 	++filemon->proccnt;
351 
352 	return (0);
353 }
354 
355 static int
356 filemon_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag __unused,
357     struct thread *td)
358 {
359 	struct filemon *filemon;
360 	struct file *fp;
361 	struct proc *p;
362 	int error;
363 
364 	if ((error = devfs_get_cdevpriv((void **) &filemon)) != 0)
365 		return (error);
366 
367 	sx_xlock(&filemon->lock);
368 
369 	switch (cmd) {
370 	/* Set the output file descriptor. */
371 	case FILEMON_SET_FD:
372 		if (filemon->fp != NULL) {
373 			error = EEXIST;
374 			break;
375 		}
376 
377 		error = fget_write(td, *(int *)data, &cap_pwrite_rights, &fp);
378 		if (error == 0) {
379 			/*
380 			 * The filemon handle may be passed to another process,
381 			 * so the underlying file handle must support this.
382 			 */
383 			if ((fp->f_ops->fo_flags & DFLAG_PASSABLE) == 0) {
384 				fdrop(fp, curthread);
385 				error = EINVAL;
386 				break;
387 			}
388 			filemon->fp = fp;
389 			/* Write the file header. */
390 			filemon_write_header(filemon);
391 		}
392 		break;
393 
394 	/* Set the monitored process ID. */
395 	case FILEMON_SET_PID:
396 		/* Invalidate any existing processes already set. */
397 		filemon_untrack_processes(filemon);
398 
399 		error = pget(*((pid_t *)data),
400 		    PGET_CANDEBUG | PGET_NOTWEXIT | PGET_NOTINEXEC, &p);
401 		if (error == 0) {
402 			KASSERT(p->p_filemon != filemon,
403 			    ("%s: proc %p didn't untrack filemon %p",
404 			    __func__, p, filemon));
405 			error = filemon_attach_proc(filemon, p);
406 			PROC_UNLOCK(p);
407 		}
408 		break;
409 
410 	default:
411 		error = EINVAL;
412 		break;
413 	}
414 
415 	sx_xunlock(&filemon->lock);
416 	return (error);
417 }
418 
419 static int
420 filemon_open(struct cdev *dev, int oflags __unused, int devtype __unused,
421     struct thread *td)
422 {
423 	int error;
424 	struct filemon *filemon;
425 
426 	filemon = malloc(sizeof(*filemon), M_FILEMON,
427 	    M_WAITOK | M_ZERO);
428 	sx_init(&filemon->lock, "filemon");
429 	refcount_init(&filemon->refcnt, 1);
430 	filemon->cred = crhold(td->td_ucred);
431 
432 	error = devfs_set_cdevpriv(filemon, filemon_dtr);
433 	if (error != 0)
434 		filemon_release(filemon);
435 
436 	return (error);
437 }
438 
439 /* Called on close of last devfs file handle, before filemon_dtr(). */
440 static int
441 filemon_close(struct cdev *dev __unused, int flag __unused, int fmt __unused,
442     struct thread *td __unused)
443 {
444 	struct filemon *filemon;
445 	int error;
446 
447 	if ((error = devfs_get_cdevpriv((void **) &filemon)) != 0)
448 		return (error);
449 
450 	sx_xlock(&filemon->lock);
451 	filemon_close_log(filemon);
452 	error = filemon->error;
453 	sx_xunlock(&filemon->lock);
454 	/*
455 	 * Processes are still being traced but won't log anything
456 	 * now.  After this call returns filemon_dtr() is called which
457 	 * will detach processes.
458 	 */
459 
460 	return (error);
461 }
462 
463 static void
464 filemon_load(void *dummy __unused)
465 {
466 
467 	/* Install the syscall wrappers. */
468 	filemon_wrapper_install();
469 
470 	filemon_dev = make_dev(&filemon_cdevsw, 0, UID_ROOT, GID_WHEEL, 0666,
471 	    "filemon");
472 }
473 
474 static int
475 filemon_unload(void)
476 {
477 
478 	destroy_dev(filemon_dev);
479 	filemon_wrapper_deinstall();
480 
481 	return (0);
482 }
483 
484 static int
485 filemon_modevent(module_t mod __unused, int type, void *data)
486 {
487 	int error = 0;
488 
489 	switch (type) {
490 	case MOD_LOAD:
491 		filemon_load(data);
492 		break;
493 
494 	case MOD_UNLOAD:
495 		error = filemon_unload();
496 		break;
497 
498 	case MOD_QUIESCE:
499 		/*
500 		 * The wrapper implementation is unsafe for reliable unload.
501 		 * Require forcing an unload.
502 		 */
503 		error = EBUSY;
504 		break;
505 
506 	case MOD_SHUTDOWN:
507 		break;
508 
509 	default:
510 		error = EOPNOTSUPP;
511 		break;
512 
513 	}
514 
515 	return (error);
516 }
517 
518 DEV_MODULE(filemon, filemon_modevent, NULL);
519 MODULE_VERSION(filemon, 1);
520