1 /*- 2 * Copyright (c) 2011, David E. O'Brien. 3 * Copyright (c) 2009-2011, Juniper Networks, Inc. 4 * Copyright (c) 2015-2016, EMC Corp. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY JUNIPER NETWORKS AND CONTRIBUTORS ``AS IS'' AND 17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL JUNIPER NETWORKS OR CONTRIBUTORS BE LIABLE 20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29 #include <sys/cdefs.h> 30 __FBSDID("$FreeBSD$"); 31 32 #include "opt_compat.h" 33 34 #include <sys/param.h> 35 #include <sys/file.h> 36 #include <sys/systm.h> 37 #include <sys/buf.h> 38 #include <sys/capsicum.h> 39 #include <sys/condvar.h> 40 #include <sys/conf.h> 41 #include <sys/fcntl.h> 42 #include <sys/ioccom.h> 43 #include <sys/kernel.h> 44 #include <sys/lock.h> 45 #include <sys/malloc.h> 46 #include <sys/module.h> 47 #include <sys/poll.h> 48 #include <sys/proc.h> 49 #include <sys/sx.h> 50 #include <sys/syscall.h> 51 #include <sys/sysent.h> 52 #include <sys/sysproto.h> 53 #include <sys/uio.h> 54 55 #include "filemon.h" 56 57 #if defined(COMPAT_IA32) || defined(COMPAT_FREEBSD32) || defined(COMPAT_ARCH32) 58 #include <compat/freebsd32/freebsd32_syscall.h> 59 #include <compat/freebsd32/freebsd32_proto.h> 60 61 extern struct sysentvec ia32_freebsd_sysvec; 62 #endif 63 64 extern struct sysentvec elf32_freebsd_sysvec; 65 extern struct sysentvec elf64_freebsd_sysvec; 66 67 static d_close_t filemon_close; 68 static d_ioctl_t filemon_ioctl; 69 static d_open_t filemon_open; 70 71 static struct cdevsw filemon_cdevsw = { 72 .d_version = D_VERSION, 73 .d_close = filemon_close, 74 .d_ioctl = filemon_ioctl, 75 .d_open = filemon_open, 76 .d_name = "filemon", 77 }; 78 79 MALLOC_DECLARE(M_FILEMON); 80 MALLOC_DEFINE(M_FILEMON, "filemon", "File access monitor"); 81 82 /* 83 * The filemon->lock protects several things currently: 84 * - fname1/fname2/msgbufr are pre-allocated and used per syscall 85 * for logging and copyins rather than stack variables. 86 * - Serializing the filemon's log output. 87 * - Preventing inheritance or removal of the filemon into proc.p_filemon. 88 */ 89 struct filemon { 90 struct sx lock; /* Lock for this filemon. */ 91 struct file *fp; /* Output file pointer. */ 92 char fname1[MAXPATHLEN]; /* Temporary filename buffer. */ 93 char fname2[MAXPATHLEN]; /* Temporary filename buffer. */ 94 char msgbufr[1024]; /* Output message buffer. */ 95 int error; /* Log write error, returned on close(2). */ 96 u_int refcnt; /* Pointer reference count. */ 97 u_int proccnt; /* Process count. */ 98 }; 99 100 static struct cdev *filemon_dev; 101 static void filemon_output(struct filemon *filemon, char *msg, size_t len); 102 103 static __inline struct filemon * 104 filemon_acquire(struct filemon *filemon) 105 { 106 107 if (filemon != NULL) 108 refcount_acquire(&filemon->refcnt); 109 return (filemon); 110 } 111 112 /* 113 * Release a reference and free on the last one. 114 */ 115 static void 116 filemon_release(struct filemon *filemon) 117 { 118 119 if (refcount_release(&filemon->refcnt) == 0) 120 return; 121 /* 122 * There are valid cases of releasing while locked, such as in 123 * filemon_untrack_processes, but none which are done where there 124 * is not at least 1 reference remaining. 125 */ 126 sx_assert(&filemon->lock, SA_UNLOCKED); 127 128 sx_destroy(&filemon->lock); 129 free(filemon, M_FILEMON); 130 } 131 132 /* 133 * Acquire the proc's p_filemon reference and lock the filemon. 134 * The proc's p_filemon may not match this filemon on return. 135 */ 136 static struct filemon * 137 filemon_proc_get(struct proc *p) 138 { 139 struct filemon *filemon; 140 141 PROC_LOCK(p); 142 filemon = filemon_acquire(p->p_filemon); 143 PROC_UNLOCK(p); 144 145 if (filemon == NULL) 146 return (NULL); 147 /* 148 * The p->p_filemon may have changed by now. That case is handled 149 * by the exit and fork hooks and filemon_attach_proc specially. 150 */ 151 sx_xlock(&filemon->lock); 152 return (filemon); 153 } 154 155 /* Remove and release the filemon on the given process. */ 156 static void 157 filemon_proc_drop(struct proc *p) 158 { 159 struct filemon *filemon; 160 161 KASSERT(p->p_filemon != NULL, ("%s: proc %p NULL p_filemon", 162 __func__, p)); 163 sx_assert(&p->p_filemon->lock, SA_XLOCKED); 164 PROC_LOCK(p); 165 filemon = p->p_filemon; 166 p->p_filemon = NULL; 167 --filemon->proccnt; 168 PROC_UNLOCK(p); 169 /* 170 * This should not be the last reference yet. filemon_release() 171 * cannot be called with filemon locked, which the caller expects 172 * will stay locked. 173 */ 174 KASSERT(filemon->refcnt > 1, ("%s: proc %p dropping filemon %p " 175 "with last reference", __func__, p, filemon)); 176 filemon_release(filemon); 177 } 178 179 /* Unlock and release the filemon. */ 180 static __inline void 181 filemon_drop(struct filemon *filemon) 182 { 183 184 sx_xunlock(&filemon->lock); 185 filemon_release(filemon); 186 } 187 188 #include "filemon_wrapper.c" 189 190 static void 191 filemon_comment(struct filemon *filemon) 192 { 193 int len; 194 struct timeval now; 195 196 getmicrotime(&now); 197 198 len = snprintf(filemon->msgbufr, sizeof(filemon->msgbufr), 199 "# filemon version %d\n# Target pid %d\n# Start %ju.%06ju\nV %d\n", 200 FILEMON_VERSION, curproc->p_pid, (uintmax_t)now.tv_sec, 201 (uintmax_t)now.tv_usec, FILEMON_VERSION); 202 203 filemon_output(filemon, filemon->msgbufr, len); 204 } 205 206 /* 207 * Invalidate the passed filemon in all processes. 208 */ 209 static void 210 filemon_untrack_processes(struct filemon *filemon) 211 { 212 struct proc *p; 213 214 sx_assert(&filemon->lock, SA_XLOCKED); 215 216 /* Avoid allproc loop if there is no need. */ 217 if (filemon->proccnt == 0) 218 return; 219 220 /* 221 * Processes in this list won't go away while here since 222 * filemon_event_process_exit() will lock on filemon->lock 223 * which we hold. 224 */ 225 sx_slock(&allproc_lock); 226 FOREACH_PROC_IN_SYSTEM(p) { 227 /* 228 * No PROC_LOCK is needed to compare here since it is 229 * guaranteed to not change since we have its filemon 230 * locked. Everything that changes this p_filemon will 231 * be locked on it. 232 */ 233 if (p->p_filemon == filemon) 234 filemon_proc_drop(p); 235 } 236 sx_sunlock(&allproc_lock); 237 238 /* 239 * It's possible some references were acquired but will be 240 * dropped shortly as they are restricted from being 241 * inherited. There is at least the reference in cdevpriv remaining. 242 */ 243 KASSERT(filemon->refcnt > 0, ("%s: filemon %p should have " 244 "references still.", __func__, filemon)); 245 KASSERT(filemon->proccnt == 0, ("%s: filemon %p should not have " 246 "attached procs still.", __func__, filemon)); 247 } 248 249 /* 250 * Close out the log. 251 */ 252 static void 253 filemon_close_log(struct filemon *filemon) 254 { 255 struct file *fp; 256 struct timeval now; 257 size_t len; 258 259 sx_assert(&filemon->lock, SA_XLOCKED); 260 if (filemon->fp == NULL) 261 return; 262 263 getmicrotime(&now); 264 265 len = snprintf(filemon->msgbufr, 266 sizeof(filemon->msgbufr), 267 "# Stop %ju.%06ju\n# Bye bye\n", 268 (uintmax_t)now.tv_sec, (uintmax_t)now.tv_usec); 269 270 filemon_output(filemon, filemon->msgbufr, len); 271 fp = filemon->fp; 272 filemon->fp = NULL; 273 274 sx_xunlock(&filemon->lock); 275 fdrop(fp, curthread); 276 sx_xlock(&filemon->lock); 277 } 278 279 /* 280 * The devfs file is being closed. Untrace all processes. It is possible 281 * filemon_close/close(2) was not called. 282 */ 283 static void 284 filemon_dtr(void *data) 285 { 286 struct filemon *filemon = data; 287 288 if (filemon == NULL) 289 return; 290 291 sx_xlock(&filemon->lock); 292 /* 293 * Detach the filemon. It cannot be inherited after this. 294 */ 295 filemon_untrack_processes(filemon); 296 filemon_close_log(filemon); 297 filemon_drop(filemon); 298 } 299 300 /* Attach the filemon to the process. */ 301 static int 302 filemon_attach_proc(struct filemon *filemon, struct proc *p) 303 { 304 struct filemon *filemon2; 305 306 sx_assert(&filemon->lock, SA_XLOCKED); 307 PROC_LOCK_ASSERT(p, MA_OWNED); 308 KASSERT((p->p_flag & P_WEXIT) == 0, 309 ("%s: filemon %p attaching to exiting process %p", 310 __func__, filemon, p)); 311 312 if (p->p_filemon == filemon) 313 return (0); 314 /* 315 * Don't allow truncating other process traces. It is 316 * not really intended to trace procs other than curproc 317 * anyhow. 318 */ 319 if (p->p_filemon != NULL && p != curproc) 320 return (EBUSY); 321 /* 322 * Historic behavior of filemon has been to let a child initiate 323 * tracing on itself and cease existing tracing. Bmake 324 * .META + .MAKE relies on this. It is only relevant for attaching to 325 * curproc. 326 */ 327 while (p->p_filemon != NULL) { 328 PROC_UNLOCK(p); 329 sx_xunlock(&filemon->lock); 330 while ((filemon2 = filemon_proc_get(p)) != NULL) { 331 /* It may have changed. */ 332 if (p->p_filemon == filemon2) 333 filemon_proc_drop(p); 334 filemon_drop(filemon2); 335 } 336 sx_xlock(&filemon->lock); 337 PROC_LOCK(p); 338 /* 339 * It may have been attached to, though unlikely. 340 * Try again if needed. 341 */ 342 } 343 344 KASSERT(p->p_filemon == NULL, 345 ("%s: proc %p didn't detach filemon %p", __func__, p, 346 p->p_filemon)); 347 p->p_filemon = filemon_acquire(filemon); 348 ++filemon->proccnt; 349 350 return (0); 351 } 352 353 static int 354 filemon_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag __unused, 355 struct thread *td) 356 { 357 int error = 0; 358 struct filemon *filemon; 359 struct proc *p; 360 cap_rights_t rights; 361 362 if ((error = devfs_get_cdevpriv((void **) &filemon)) != 0) 363 return (error); 364 365 sx_xlock(&filemon->lock); 366 367 switch (cmd) { 368 /* Set the output file descriptor. */ 369 case FILEMON_SET_FD: 370 if (filemon->fp != NULL) { 371 error = EEXIST; 372 break; 373 } 374 375 error = fget_write(td, *(int *)data, 376 cap_rights_init(&rights, CAP_PWRITE), 377 &filemon->fp); 378 if (error == 0) 379 /* Write the file header. */ 380 filemon_comment(filemon); 381 break; 382 383 /* Set the monitored process ID. */ 384 case FILEMON_SET_PID: 385 /* Invalidate any existing processes already set. */ 386 filemon_untrack_processes(filemon); 387 388 error = pget(*((pid_t *)data), PGET_CANDEBUG | PGET_NOTWEXIT, 389 &p); 390 if (error == 0) { 391 KASSERT(p->p_filemon != filemon, 392 ("%s: proc %p didn't untrack filemon %p", 393 __func__, p, filemon)); 394 error = filemon_attach_proc(filemon, p); 395 PROC_UNLOCK(p); 396 } 397 break; 398 399 default: 400 error = EINVAL; 401 break; 402 } 403 404 sx_xunlock(&filemon->lock); 405 return (error); 406 } 407 408 static int 409 filemon_open(struct cdev *dev, int oflags __unused, int devtype __unused, 410 struct thread *td __unused) 411 { 412 int error; 413 struct filemon *filemon; 414 415 filemon = malloc(sizeof(*filemon), M_FILEMON, 416 M_WAITOK | M_ZERO); 417 sx_init(&filemon->lock, "filemon"); 418 refcount_init(&filemon->refcnt, 1); 419 420 error = devfs_set_cdevpriv(filemon, filemon_dtr); 421 if (error != 0) 422 filemon_release(filemon); 423 424 return (error); 425 } 426 427 /* Called on close of last devfs file handle, before filemon_dtr(). */ 428 static int 429 filemon_close(struct cdev *dev __unused, int flag __unused, int fmt __unused, 430 struct thread *td __unused) 431 { 432 struct filemon *filemon; 433 int error; 434 435 if ((error = devfs_get_cdevpriv((void **) &filemon)) != 0) 436 return (error); 437 438 sx_xlock(&filemon->lock); 439 filemon_close_log(filemon); 440 error = filemon->error; 441 sx_xunlock(&filemon->lock); 442 /* 443 * Processes are still being traced but won't log anything 444 * now. After this call returns filemon_dtr() is called which 445 * will detach processes. 446 */ 447 448 return (error); 449 } 450 451 static void 452 filemon_load(void *dummy __unused) 453 { 454 455 /* Install the syscall wrappers. */ 456 filemon_wrapper_install(); 457 458 filemon_dev = make_dev(&filemon_cdevsw, 0, UID_ROOT, GID_WHEEL, 0666, 459 "filemon"); 460 } 461 462 static int 463 filemon_unload(void) 464 { 465 466 destroy_dev(filemon_dev); 467 filemon_wrapper_deinstall(); 468 469 return (0); 470 } 471 472 static int 473 filemon_modevent(module_t mod __unused, int type, void *data) 474 { 475 int error = 0; 476 477 switch (type) { 478 case MOD_LOAD: 479 filemon_load(data); 480 break; 481 482 case MOD_UNLOAD: 483 error = filemon_unload(); 484 break; 485 486 case MOD_QUIESCE: 487 /* 488 * The wrapper implementation is unsafe for reliable unload. 489 * Require forcing an unload. 490 */ 491 error = EBUSY; 492 break; 493 494 case MOD_SHUTDOWN: 495 break; 496 497 default: 498 error = EOPNOTSUPP; 499 break; 500 501 } 502 503 return (error); 504 } 505 506 DEV_MODULE(filemon, filemon_modevent, NULL); 507 MODULE_VERSION(filemon, 1); 508