xref: /freebsd/sys/dev/filemon/filemon.c (revision e12ff891366cf94db4bfe4c2c810b26a5531053d)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3  *
4  * Copyright (c) 2011, David E. O'Brien.
5  * Copyright (c) 2009-2011, Juniper Networks, Inc.
6  * Copyright (c) 2015-2016, EMC Corp.
7  * All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in the
16  *    documentation and/or other materials provided with the distribution.
17  *
18  * THIS SOFTWARE IS PROVIDED BY JUNIPER NETWORKS AND CONTRIBUTORS ``AS IS'' AND
19  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21  * ARE DISCLAIMED. IN NO EVENT SHALL JUNIPER NETWORKS OR CONTRIBUTORS BE LIABLE
22  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28  * SUCH DAMAGE.
29  */
30 
31 #include <sys/cdefs.h>
32 __FBSDID("$FreeBSD$");
33 
34 #include <sys/param.h>
35 #include <sys/file.h>
36 #include <sys/systm.h>
37 #include <sys/buf.h>
38 #include <sys/capsicum.h>
39 #include <sys/condvar.h>
40 #include <sys/conf.h>
41 #include <sys/fcntl.h>
42 #include <sys/ioccom.h>
43 #include <sys/kernel.h>
44 #include <sys/lock.h>
45 #include <sys/malloc.h>
46 #include <sys/module.h>
47 #include <sys/poll.h>
48 #include <sys/proc.h>
49 #include <sys/sx.h>
50 #include <sys/syscall.h>
51 #include <sys/sysent.h>
52 #include <sys/sysproto.h>
53 #include <sys/uio.h>
54 
55 #include "filemon.h"
56 
57 #if defined(COMPAT_FREEBSD32)
58 #include <compat/freebsd32/freebsd32_syscall.h>
59 #include <compat/freebsd32/freebsd32_proto.h>
60 #include <compat/freebsd32/freebsd32_util.h>
61 #endif
62 
63 static d_close_t	filemon_close;
64 static d_ioctl_t	filemon_ioctl;
65 static d_open_t		filemon_open;
66 
67 static struct cdevsw filemon_cdevsw = {
68 	.d_version	= D_VERSION,
69 	.d_close	= filemon_close,
70 	.d_ioctl	= filemon_ioctl,
71 	.d_open		= filemon_open,
72 	.d_name		= "filemon",
73 };
74 
75 MALLOC_DECLARE(M_FILEMON);
76 MALLOC_DEFINE(M_FILEMON, "filemon", "File access monitor");
77 
78 /*
79  * The filemon->lock protects several things currently:
80  * - fname1/fname2/msgbufr are pre-allocated and used per syscall
81  *   for logging and copyins rather than stack variables.
82  * - Serializing the filemon's log output.
83  * - Preventing inheritance or removal of the filemon into proc.p_filemon.
84  */
85 struct filemon {
86 	struct sx	lock;		/* Lock for this filemon. */
87 	struct file	*fp;		/* Output file pointer. */
88 	struct ucred	*cred;		/* Credential of tracer. */
89 	char		fname1[MAXPATHLEN]; /* Temporary filename buffer. */
90 	char		fname2[MAXPATHLEN]; /* Temporary filename buffer. */
91 	char		msgbufr[2*MAXPATHLEN + 100];	/* Output message buffer. */
92 	int		error;		/* Log write error, returned on close(2). */
93 	u_int		refcnt;		/* Pointer reference count. */
94 	u_int		proccnt;	/* Process count. */
95 };
96 
97 static struct cdev *filemon_dev;
98 static void filemon_output(struct filemon *filemon, char *msg, size_t len);
99 
100 static __inline struct filemon *
101 filemon_acquire(struct filemon *filemon)
102 {
103 
104 	if (filemon != NULL)
105 		refcount_acquire(&filemon->refcnt);
106 	return (filemon);
107 }
108 
109 /*
110  * Release a reference and free on the last one.
111  */
112 static void
113 filemon_release(struct filemon *filemon)
114 {
115 
116 	if (refcount_release(&filemon->refcnt) == 0)
117 		return;
118 	/*
119 	 * There are valid cases of releasing while locked, such as in
120 	 * filemon_untrack_processes, but none which are done where there
121 	 * is not at least 1 reference remaining.
122 	 */
123 	sx_assert(&filemon->lock, SA_UNLOCKED);
124 
125 	if (filemon->cred != NULL)
126 		crfree(filemon->cred);
127 	sx_destroy(&filemon->lock);
128 	free(filemon, M_FILEMON);
129 }
130 
131 /*
132  * Acquire the proc's p_filemon reference and lock the filemon.
133  * The proc's p_filemon may not match this filemon on return.
134  */
135 static struct filemon *
136 filemon_proc_get(struct proc *p)
137 {
138 	struct filemon *filemon;
139 
140 	if (p->p_filemon == NULL)
141 		return (NULL);
142 	PROC_LOCK(p);
143 	filemon = filemon_acquire(p->p_filemon);
144 	PROC_UNLOCK(p);
145 
146 	if (filemon == NULL)
147 		return (NULL);
148 	/*
149 	 * The p->p_filemon may have changed by now.  That case is handled
150 	 * by the exit and fork hooks and filemon_attach_proc specially.
151 	 */
152 	sx_xlock(&filemon->lock);
153 	return (filemon);
154 }
155 
156 /* Remove and release the filemon on the given process. */
157 static void
158 filemon_proc_drop(struct proc *p)
159 {
160 	struct filemon *filemon;
161 
162 	KASSERT(p->p_filemon != NULL, ("%s: proc %p NULL p_filemon",
163 	    __func__, p));
164 	sx_assert(&p->p_filemon->lock, SA_XLOCKED);
165 	PROC_LOCK(p);
166 	filemon = p->p_filemon;
167 	p->p_filemon = NULL;
168 	--filemon->proccnt;
169 	PROC_UNLOCK(p);
170 	/*
171 	 * This should not be the last reference yet.  filemon_release()
172 	 * cannot be called with filemon locked, which the caller expects
173 	 * will stay locked.
174 	 */
175 	KASSERT(filemon->refcnt > 1, ("%s: proc %p dropping filemon %p "
176 	    "with last reference", __func__, p, filemon));
177 	filemon_release(filemon);
178 }
179 
180 /* Unlock and release the filemon. */
181 static __inline void
182 filemon_drop(struct filemon *filemon)
183 {
184 
185 	sx_xunlock(&filemon->lock);
186 	filemon_release(filemon);
187 }
188 
189 #include "filemon_wrapper.c"
190 
191 static void
192 filemon_write_header(struct filemon *filemon)
193 {
194 	int len;
195 	struct timeval now;
196 
197 	getmicrotime(&now);
198 
199 	len = snprintf(filemon->msgbufr, sizeof(filemon->msgbufr),
200 	    "# filemon version %d\n# Target pid %d\n# Start %ju.%06ju\nV %d\n",
201 	    FILEMON_VERSION, curproc->p_pid, (uintmax_t)now.tv_sec,
202 	    (uintmax_t)now.tv_usec, FILEMON_VERSION);
203 	if (len < sizeof(filemon->msgbufr))
204 		filemon_output(filemon, filemon->msgbufr, len);
205 }
206 
207 /*
208  * Invalidate the passed filemon in all processes.
209  */
210 static void
211 filemon_untrack_processes(struct filemon *filemon)
212 {
213 	struct proc *p;
214 
215 	sx_assert(&filemon->lock, SA_XLOCKED);
216 
217 	/* Avoid allproc loop if there is no need. */
218 	if (filemon->proccnt == 0)
219 		return;
220 
221 	/*
222 	 * Processes in this list won't go away while here since
223 	 * filemon_event_process_exit() will lock on filemon->lock
224 	 * which we hold.
225 	 */
226 	sx_slock(&allproc_lock);
227 	FOREACH_PROC_IN_SYSTEM(p) {
228 		/*
229 		 * No PROC_LOCK is needed to compare here since it is
230 		 * guaranteed to not change since we have its filemon
231 		 * locked.  Everything that changes this p_filemon will
232 		 * be locked on it.
233 		 */
234 		if (p->p_filemon == filemon)
235 			filemon_proc_drop(p);
236 	}
237 	sx_sunlock(&allproc_lock);
238 
239 	/*
240 	 * It's possible some references were acquired but will be
241 	 * dropped shortly as they are restricted from being
242 	 * inherited.  There is at least the reference in cdevpriv remaining.
243 	 */
244 	KASSERT(filemon->refcnt > 0, ("%s: filemon %p should have "
245 	    "references still.", __func__, filemon));
246 	KASSERT(filemon->proccnt == 0, ("%s: filemon %p should not have "
247 	    "attached procs still.", __func__, filemon));
248 }
249 
250 /*
251  * Close out the log.
252  */
253 static void
254 filemon_close_log(struct filemon *filemon)
255 {
256 	struct file *fp;
257 	struct timeval now;
258 	size_t len;
259 
260 	sx_assert(&filemon->lock, SA_XLOCKED);
261 	if (filemon->fp == NULL)
262 		return;
263 
264 	getmicrotime(&now);
265 
266 	len = snprintf(filemon->msgbufr,
267 	    sizeof(filemon->msgbufr),
268 	    "# Stop %ju.%06ju\n# Bye bye\n",
269 	    (uintmax_t)now.tv_sec, (uintmax_t)now.tv_usec);
270 
271 	if (len < sizeof(filemon->msgbufr))
272 		filemon_output(filemon, filemon->msgbufr, len);
273 	fp = filemon->fp;
274 	filemon->fp = NULL;
275 
276 	sx_xunlock(&filemon->lock);
277 	fdrop(fp, curthread);
278 	sx_xlock(&filemon->lock);
279 }
280 
281 /*
282  * The devfs file is being closed.  Untrace all processes.  It is possible
283  * filemon_close/close(2) was not called.
284  */
285 static void
286 filemon_dtr(void *data)
287 {
288 	struct filemon *filemon = data;
289 
290 	if (filemon == NULL)
291 		return;
292 
293 	sx_xlock(&filemon->lock);
294 	/*
295 	 * Detach the filemon.  It cannot be inherited after this.
296 	 */
297 	filemon_untrack_processes(filemon);
298 	filemon_close_log(filemon);
299 	filemon_drop(filemon);
300 }
301 
302 /* Attach the filemon to the process. */
303 static int
304 filemon_attach_proc(struct filemon *filemon, struct proc *p)
305 {
306 	struct filemon *filemon2;
307 
308 	sx_assert(&filemon->lock, SA_XLOCKED);
309 	PROC_LOCK_ASSERT(p, MA_OWNED);
310 	KASSERT((p->p_flag & P_WEXIT) == 0,
311 	    ("%s: filemon %p attaching to exiting process %p",
312 	    __func__, filemon, p));
313 	KASSERT((p->p_flag & P_INEXEC) == 0,
314 	    ("%s: filemon %p attaching to execing process %p",
315 	    __func__, filemon, p));
316 
317 	if (p->p_filemon == filemon)
318 		return (0);
319 	/*
320 	 * Don't allow truncating other process traces.  It is
321 	 * not really intended to trace procs other than curproc
322 	 * anyhow.
323 	 */
324 	if (p->p_filemon != NULL && p != curproc)
325 		return (EBUSY);
326 	/*
327 	 * Historic behavior of filemon has been to let a child initiate
328 	 * tracing on itself and cease existing tracing.  Bmake
329 	 * .META + .MAKE relies on this.  It is only relevant for attaching to
330 	 * curproc.
331 	 */
332 	while (p->p_filemon != NULL) {
333 		PROC_UNLOCK(p);
334 		sx_xunlock(&filemon->lock);
335 		while ((filemon2 = filemon_proc_get(p)) != NULL) {
336 			/* It may have changed. */
337 			if (p->p_filemon == filemon2)
338 				filemon_proc_drop(p);
339 			filemon_drop(filemon2);
340 		}
341 		sx_xlock(&filemon->lock);
342 		PROC_LOCK(p);
343 		/*
344 		 * It may have been attached to, though unlikely.
345 		 * Try again if needed.
346 		 */
347 	}
348 
349 	KASSERT(p->p_filemon == NULL,
350 	    ("%s: proc %p didn't detach filemon %p", __func__, p,
351 	    p->p_filemon));
352 	p->p_filemon = filemon_acquire(filemon);
353 	++filemon->proccnt;
354 
355 	return (0);
356 }
357 
358 static int
359 filemon_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag __unused,
360     struct thread *td)
361 {
362 	int error = 0;
363 	struct filemon *filemon;
364 	struct proc *p;
365 
366 	if ((error = devfs_get_cdevpriv((void **) &filemon)) != 0)
367 		return (error);
368 
369 	sx_xlock(&filemon->lock);
370 
371 	switch (cmd) {
372 	/* Set the output file descriptor. */
373 	case FILEMON_SET_FD:
374 		if (filemon->fp != NULL) {
375 			error = EEXIST;
376 			break;
377 		}
378 
379 		error = fget_write(td, *(int *)data,
380 		    &cap_pwrite_rights,
381 		    &filemon->fp);
382 		if (error == 0)
383 			/* Write the file header. */
384 			filemon_write_header(filemon);
385 		break;
386 
387 	/* Set the monitored process ID. */
388 	case FILEMON_SET_PID:
389 		/* Invalidate any existing processes already set. */
390 		filemon_untrack_processes(filemon);
391 
392 		error = pget(*((pid_t *)data),
393 		    PGET_CANDEBUG | PGET_NOTWEXIT | PGET_NOTINEXEC, &p);
394 		if (error == 0) {
395 			KASSERT(p->p_filemon != filemon,
396 			    ("%s: proc %p didn't untrack filemon %p",
397 			    __func__, p, filemon));
398 			error = filemon_attach_proc(filemon, p);
399 			PROC_UNLOCK(p);
400 		}
401 		break;
402 
403 	default:
404 		error = EINVAL;
405 		break;
406 	}
407 
408 	sx_xunlock(&filemon->lock);
409 	return (error);
410 }
411 
412 static int
413 filemon_open(struct cdev *dev, int oflags __unused, int devtype __unused,
414     struct thread *td)
415 {
416 	int error;
417 	struct filemon *filemon;
418 
419 	filemon = malloc(sizeof(*filemon), M_FILEMON,
420 	    M_WAITOK | M_ZERO);
421 	sx_init(&filemon->lock, "filemon");
422 	refcount_init(&filemon->refcnt, 1);
423 	filemon->cred = crhold(td->td_ucred);
424 
425 	error = devfs_set_cdevpriv(filemon, filemon_dtr);
426 	if (error != 0)
427 		filemon_release(filemon);
428 
429 	return (error);
430 }
431 
432 /* Called on close of last devfs file handle, before filemon_dtr(). */
433 static int
434 filemon_close(struct cdev *dev __unused, int flag __unused, int fmt __unused,
435     struct thread *td __unused)
436 {
437 	struct filemon *filemon;
438 	int error;
439 
440 	if ((error = devfs_get_cdevpriv((void **) &filemon)) != 0)
441 		return (error);
442 
443 	sx_xlock(&filemon->lock);
444 	filemon_close_log(filemon);
445 	error = filemon->error;
446 	sx_xunlock(&filemon->lock);
447 	/*
448 	 * Processes are still being traced but won't log anything
449 	 * now.  After this call returns filemon_dtr() is called which
450 	 * will detach processes.
451 	 */
452 
453 	return (error);
454 }
455 
456 static void
457 filemon_load(void *dummy __unused)
458 {
459 
460 	/* Install the syscall wrappers. */
461 	filemon_wrapper_install();
462 
463 	filemon_dev = make_dev(&filemon_cdevsw, 0, UID_ROOT, GID_WHEEL, 0666,
464 	    "filemon");
465 }
466 
467 static int
468 filemon_unload(void)
469 {
470 
471 	destroy_dev(filemon_dev);
472 	filemon_wrapper_deinstall();
473 
474 	return (0);
475 }
476 
477 static int
478 filemon_modevent(module_t mod __unused, int type, void *data)
479 {
480 	int error = 0;
481 
482 	switch (type) {
483 	case MOD_LOAD:
484 		filemon_load(data);
485 		break;
486 
487 	case MOD_UNLOAD:
488 		error = filemon_unload();
489 		break;
490 
491 	case MOD_QUIESCE:
492 		/*
493 		 * The wrapper implementation is unsafe for reliable unload.
494 		 * Require forcing an unload.
495 		 */
496 		error = EBUSY;
497 		break;
498 
499 	case MOD_SHUTDOWN:
500 		break;
501 
502 	default:
503 		error = EOPNOTSUPP;
504 		break;
505 
506 	}
507 
508 	return (error);
509 }
510 
511 DEV_MODULE(filemon, filemon_modevent, NULL);
512 MODULE_VERSION(filemon, 1);
513