xref: /freebsd/sys/dev/filemon/filemon_wrapper.c (revision 52f72944b8f5abb2386eae924357dee8aea17d5b)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3  *
4  * Copyright (c) 2011, David E. O'Brien.
5  * Copyright (c) 2009-2011, Juniper Networks, Inc.
6  * Copyright (c) 2015-2016, EMC Corp.
7  * All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in the
16  *    documentation and/or other materials provided with the distribution.
17  *
18  * THIS SOFTWARE IS PROVIDED BY JUNIPER NETWORKS AND CONTRIBUTORS ``AS IS'' AND
19  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21  * ARE DISCLAIMED. IN NO EVENT SHALL JUNIPER NETWORKS OR CONTRIBUTORS BE LIABLE
22  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28  * SUCH DAMAGE.
29  */
30 
31 #include <sys/cdefs.h>
32 __FBSDID("$FreeBSD$");
33 
34 #include <sys/eventhandler.h>
35 #include <sys/filedesc.h>
36 #include <sys/imgact.h>
37 #include <sys/priv.h>
38 #include <sys/sx.h>
39 #include <sys/sysent.h>
40 #include <sys/vnode.h>
41 
42 #include "opt_compat.h"
43 
44 static eventhandler_tag filemon_exec_tag;
45 static eventhandler_tag filemon_exit_tag;
46 static eventhandler_tag filemon_fork_tag;
47 
48 static void
49 filemon_output(struct filemon *filemon, char *msg, size_t len)
50 {
51 	struct uio auio;
52 	struct iovec aiov;
53 	int error;
54 
55 	if (filemon->fp == NULL)
56 		return;
57 
58 	aiov.iov_base = msg;
59 	aiov.iov_len = len;
60 	auio.uio_iov = &aiov;
61 	auio.uio_iovcnt = 1;
62 	auio.uio_resid = len;
63 	auio.uio_segflg = UIO_SYSSPACE;
64 	auio.uio_rw = UIO_WRITE;
65 	auio.uio_td = curthread;
66 	auio.uio_offset = (off_t) -1;
67 
68 	if (filemon->fp->f_type == DTYPE_VNODE)
69 		bwillwrite();
70 
71 	error = fo_write(filemon->fp, &auio, filemon->cred, 0, curthread);
72 	if (error != 0 && filemon->error == 0)
73 		filemon->error = error;
74 }
75 
76 static int
77 filemon_wrapper_chdir(struct thread *td, struct chdir_args *uap)
78 {
79 	int error, ret;
80 	size_t len;
81 	struct filemon *filemon;
82 
83 	if ((ret = sys_chdir(td, uap)) == 0) {
84 		if ((filemon = filemon_proc_get(curproc)) != NULL) {
85 			if ((error = copyinstr(uap->path, filemon->fname1,
86 			    sizeof(filemon->fname1), NULL)) != 0) {
87 				filemon->error = error;
88 				goto copyfail;
89 			}
90 
91 			len = snprintf(filemon->msgbufr,
92 			    sizeof(filemon->msgbufr), "C %d %s\n",
93 			    curproc->p_pid, filemon->fname1);
94 
95 			filemon_output(filemon, filemon->msgbufr, len);
96 copyfail:
97 			filemon_drop(filemon);
98 		}
99 	}
100 
101 	return (ret);
102 }
103 
104 static void
105 filemon_event_process_exec(void *arg __unused, struct proc *p,
106     struct image_params *imgp)
107 {
108 	struct filemon *filemon;
109 	size_t len;
110 
111 	if ((filemon = filemon_proc_get(p)) != NULL) {
112 		len = snprintf(filemon->msgbufr,
113 		    sizeof(filemon->msgbufr), "E %d %s\n",
114 		    p->p_pid,
115 		    imgp->execpath != NULL ? imgp->execpath : "<unknown>");
116 
117 		filemon_output(filemon, filemon->msgbufr, len);
118 
119 		/* If the credentials changed then cease tracing. */
120 		if (imgp->newcred != NULL &&
121 		    imgp->credential_setid &&
122 		    priv_check_cred(filemon->cred,
123 		    PRIV_DEBUG_DIFFCRED, 0) != 0) {
124 			/*
125 			 * It may have changed to NULL already, but
126 			 * will not be re-attached by anything else.
127 			 */
128 			if (p->p_filemon != NULL) {
129 				KASSERT(p->p_filemon == filemon,
130 				    ("%s: proc %p didn't have expected"
131 				    " filemon %p", __func__, p, filemon));
132 				filemon_proc_drop(p);
133 			}
134 		}
135 
136 
137 		filemon_drop(filemon);
138 	}
139 }
140 
141 static void
142 _filemon_wrapper_openat(struct thread *td, char *upath, int flags, int fd)
143 {
144 	int error;
145 	size_t len;
146 	struct file *fp;
147 	struct filemon *filemon;
148 	char *atpath, *freepath;
149 	cap_rights_t rights;
150 
151 	if ((filemon = filemon_proc_get(curproc)) != NULL) {
152 		atpath = "";
153 		freepath = NULL;
154 		fp = NULL;
155 
156 		if ((error = copyinstr(upath, filemon->fname1,
157 		    sizeof(filemon->fname1), NULL)) != 0) {
158 			filemon->error = error;
159 			goto copyfail;
160 		}
161 
162 		if (filemon->fname1[0] != '/' && fd != AT_FDCWD) {
163 			/*
164 			 * rats - we cannot do too much about this.
165 			 * the trace should show a dir we read
166 			 * recently.. output an A record as a clue
167 			 * until we can do better.
168 			 * XXX: This may be able to come out with
169 			 * the namecache lookup now.
170 			 */
171 			len = snprintf(filemon->msgbufr,
172 			    sizeof(filemon->msgbufr), "A %d %s\n",
173 			    curproc->p_pid, filemon->fname1);
174 			filemon_output(filemon, filemon->msgbufr, len);
175 			/*
176 			 * Try to resolve the path from the vnode using the
177 			 * namecache.  It may be inaccurate, but better
178 			 * than nothing.
179 			 */
180 			if (getvnode(td, fd,
181 			    cap_rights_init(&rights, CAP_LOOKUP), &fp) == 0) {
182 				vn_fullpath(td, fp->f_vnode, &atpath,
183 				    &freepath);
184 			}
185 		}
186 		if (flags & O_RDWR) {
187 			/*
188 			 * We'll get the W record below, but need
189 			 * to also output an R to distinguish from
190 			 * O_WRONLY.
191 			 */
192 			len = snprintf(filemon->msgbufr,
193 			    sizeof(filemon->msgbufr), "R %d %s%s%s\n",
194 			    curproc->p_pid, atpath,
195 			    atpath[0] != '\0' ? "/" : "", filemon->fname1);
196 			filemon_output(filemon, filemon->msgbufr, len);
197 		}
198 
199 		len = snprintf(filemon->msgbufr,
200 		    sizeof(filemon->msgbufr), "%c %d %s%s%s\n",
201 		    (flags & O_ACCMODE) ? 'W':'R',
202 		    curproc->p_pid, atpath,
203 		    atpath[0] != '\0' ? "/" : "", filemon->fname1);
204 		filemon_output(filemon, filemon->msgbufr, len);
205 copyfail:
206 		filemon_drop(filemon);
207 		if (fp != NULL)
208 			fdrop(fp, td);
209 		free(freepath, M_TEMP);
210 	}
211 }
212 
213 static int
214 filemon_wrapper_open(struct thread *td, struct open_args *uap)
215 {
216 	int ret;
217 
218 	if ((ret = sys_open(td, uap)) == 0)
219 		_filemon_wrapper_openat(td, uap->path, uap->flags, AT_FDCWD);
220 
221 	return (ret);
222 }
223 
224 static int
225 filemon_wrapper_openat(struct thread *td, struct openat_args *uap)
226 {
227 	int ret;
228 
229 	if ((ret = sys_openat(td, uap)) == 0)
230 		_filemon_wrapper_openat(td, uap->path, uap->flag, uap->fd);
231 
232 	return (ret);
233 }
234 
235 static int
236 filemon_wrapper_rename(struct thread *td, struct rename_args *uap)
237 {
238 	int error, ret;
239 	size_t len;
240 	struct filemon *filemon;
241 
242 	if ((ret = sys_rename(td, uap)) == 0) {
243 		if ((filemon = filemon_proc_get(curproc)) != NULL) {
244 			if (((error = copyinstr(uap->from, filemon->fname1,
245 			     sizeof(filemon->fname1), NULL)) != 0) ||
246 			    ((error = copyinstr(uap->to, filemon->fname2,
247 			     sizeof(filemon->fname2), NULL)) != 0)) {
248 				filemon->error = error;
249 				goto copyfail;
250 			}
251 
252 			len = snprintf(filemon->msgbufr,
253 			    sizeof(filemon->msgbufr), "M %d '%s' '%s'\n",
254 			    curproc->p_pid, filemon->fname1, filemon->fname2);
255 
256 			filemon_output(filemon, filemon->msgbufr, len);
257 copyfail:
258 			filemon_drop(filemon);
259 		}
260 	}
261 
262 	return (ret);
263 }
264 
265 static void
266 _filemon_wrapper_link(struct thread *td, char *upath1, char *upath2)
267 {
268 	struct filemon *filemon;
269 	size_t len;
270 	int error;
271 
272 	if ((filemon = filemon_proc_get(curproc)) != NULL) {
273 		if (((error = copyinstr(upath1, filemon->fname1,
274 		     sizeof(filemon->fname1), NULL)) != 0) ||
275 		    ((error = copyinstr(upath2, filemon->fname2,
276 		     sizeof(filemon->fname2), NULL)) != 0)) {
277 			filemon->error = error;
278 			goto copyfail;
279 		}
280 
281 		len = snprintf(filemon->msgbufr,
282 		    sizeof(filemon->msgbufr), "L %d '%s' '%s'\n",
283 		    curproc->p_pid, filemon->fname1, filemon->fname2);
284 
285 		filemon_output(filemon, filemon->msgbufr, len);
286 copyfail:
287 		filemon_drop(filemon);
288 	}
289 }
290 
291 static int
292 filemon_wrapper_link(struct thread *td, struct link_args *uap)
293 {
294 	int ret;
295 
296 	if ((ret = sys_link(td, uap)) == 0)
297 		_filemon_wrapper_link(td, uap->path, uap->link);
298 
299 	return (ret);
300 }
301 
302 static int
303 filemon_wrapper_symlink(struct thread *td, struct symlink_args *uap)
304 {
305 	int ret;
306 
307 	if ((ret = sys_symlink(td, uap)) == 0)
308 		_filemon_wrapper_link(td, uap->path, uap->link);
309 
310 	return (ret);
311 }
312 
313 static int
314 filemon_wrapper_linkat(struct thread *td, struct linkat_args *uap)
315 {
316 	int ret;
317 
318 	if ((ret = sys_linkat(td, uap)) == 0)
319 		_filemon_wrapper_link(td, uap->path1, uap->path2);
320 
321 	return (ret);
322 }
323 
324 static void
325 filemon_event_process_exit(void *arg __unused, struct proc *p)
326 {
327 	size_t len;
328 	struct filemon *filemon;
329 
330 	if ((filemon = filemon_proc_get(p)) != NULL) {
331 		len = snprintf(filemon->msgbufr, sizeof(filemon->msgbufr),
332 		    "X %d %d %d\n", p->p_pid, p->p_xexit, p->p_xsig);
333 
334 		filemon_output(filemon, filemon->msgbufr, len);
335 
336 		/*
337 		 * filemon_untrack_processes() may have dropped this p_filemon
338 		 * already while in filemon_proc_get() before acquiring the
339 		 * filemon lock.
340 		 */
341 		KASSERT(p->p_filemon == NULL || p->p_filemon == filemon,
342 		    ("%s: p %p was attached while exiting, expected "
343 		    "filemon %p or NULL", __func__, p, filemon));
344 		if (p->p_filemon == filemon)
345 			filemon_proc_drop(p);
346 
347 		filemon_drop(filemon);
348 	}
349 }
350 
351 static int
352 filemon_wrapper_unlink(struct thread *td, struct unlink_args *uap)
353 {
354 	int error, ret;
355 	size_t len;
356 	struct filemon *filemon;
357 
358 	if ((ret = sys_unlink(td, uap)) == 0) {
359 		if ((filemon = filemon_proc_get(curproc)) != NULL) {
360 			if ((error = copyinstr(uap->path, filemon->fname1,
361 			    sizeof(filemon->fname1), NULL)) != 0) {
362 				filemon->error = error;
363 				goto copyfail;
364 			}
365 
366 			len = snprintf(filemon->msgbufr,
367 			    sizeof(filemon->msgbufr), "D %d %s\n",
368 			    curproc->p_pid, filemon->fname1);
369 
370 			filemon_output(filemon, filemon->msgbufr, len);
371 copyfail:
372 			filemon_drop(filemon);
373 		}
374 	}
375 
376 	return (ret);
377 }
378 
379 static void
380 filemon_event_process_fork(void *arg __unused, struct proc *p1,
381     struct proc *p2, int flags __unused)
382 {
383 	size_t len;
384 	struct filemon *filemon;
385 
386 	if ((filemon = filemon_proc_get(p1)) != NULL) {
387 		len = snprintf(filemon->msgbufr,
388 		    sizeof(filemon->msgbufr), "F %d %d\n",
389 		    p1->p_pid, p2->p_pid);
390 
391 		filemon_output(filemon, filemon->msgbufr, len);
392 
393 		/*
394 		 * filemon_untrack_processes() or
395 		 * filemon_ioctl(FILEMON_SET_PID) may have changed the parent's
396 		 * p_filemon while in filemon_proc_get() before acquiring the
397 		 * filemon lock.  Only inherit if the parent is still traced by
398 		 * this filemon.
399 		 */
400 		if (p1->p_filemon == filemon) {
401 			PROC_LOCK(p2);
402 			/*
403 			 * It may have been attached to already by a new
404 			 * filemon.
405 			 */
406 			if (p2->p_filemon == NULL) {
407 				p2->p_filemon = filemon_acquire(filemon);
408 				++filemon->proccnt;
409 			}
410 			PROC_UNLOCK(p2);
411 		}
412 
413 		filemon_drop(filemon);
414 	}
415 }
416 
417 static void
418 filemon_wrapper_install(void)
419 {
420 
421 	sysent[SYS_chdir].sy_call = (sy_call_t *) filemon_wrapper_chdir;
422 	sysent[SYS_open].sy_call = (sy_call_t *) filemon_wrapper_open;
423 	sysent[SYS_openat].sy_call = (sy_call_t *) filemon_wrapper_openat;
424 	sysent[SYS_rename].sy_call = (sy_call_t *) filemon_wrapper_rename;
425 	sysent[SYS_unlink].sy_call = (sy_call_t *) filemon_wrapper_unlink;
426 	sysent[SYS_link].sy_call = (sy_call_t *) filemon_wrapper_link;
427 	sysent[SYS_symlink].sy_call = (sy_call_t *) filemon_wrapper_symlink;
428 	sysent[SYS_linkat].sy_call = (sy_call_t *) filemon_wrapper_linkat;
429 
430 #if defined(COMPAT_FREEBSD32)
431 	freebsd32_sysent[FREEBSD32_SYS_chdir].sy_call = (sy_call_t *) filemon_wrapper_chdir;
432 	freebsd32_sysent[FREEBSD32_SYS_open].sy_call = (sy_call_t *) filemon_wrapper_open;
433 	freebsd32_sysent[FREEBSD32_SYS_openat].sy_call = (sy_call_t *) filemon_wrapper_openat;
434 	freebsd32_sysent[FREEBSD32_SYS_rename].sy_call = (sy_call_t *) filemon_wrapper_rename;
435 	freebsd32_sysent[FREEBSD32_SYS_unlink].sy_call = (sy_call_t *) filemon_wrapper_unlink;
436 	freebsd32_sysent[FREEBSD32_SYS_link].sy_call = (sy_call_t *) filemon_wrapper_link;
437 	freebsd32_sysent[FREEBSD32_SYS_symlink].sy_call = (sy_call_t *) filemon_wrapper_symlink;
438 	freebsd32_sysent[FREEBSD32_SYS_linkat].sy_call = (sy_call_t *) filemon_wrapper_linkat;
439 #endif	/* COMPAT_FREEBSD32 */
440 
441 	filemon_exec_tag = EVENTHANDLER_REGISTER(process_exec,
442 	    filemon_event_process_exec, NULL, EVENTHANDLER_PRI_LAST);
443 	filemon_exit_tag = EVENTHANDLER_REGISTER(process_exit,
444 	    filemon_event_process_exit, NULL, EVENTHANDLER_PRI_LAST);
445 	filemon_fork_tag = EVENTHANDLER_REGISTER(process_fork,
446 	    filemon_event_process_fork, NULL, EVENTHANDLER_PRI_LAST);
447 }
448 
449 static void
450 filemon_wrapper_deinstall(void)
451 {
452 
453 	sysent[SYS_chdir].sy_call = (sy_call_t *)sys_chdir;
454 	sysent[SYS_open].sy_call = (sy_call_t *)sys_open;
455 	sysent[SYS_openat].sy_call = (sy_call_t *)sys_openat;
456 	sysent[SYS_rename].sy_call = (sy_call_t *)sys_rename;
457 	sysent[SYS_unlink].sy_call = (sy_call_t *)sys_unlink;
458 	sysent[SYS_link].sy_call = (sy_call_t *)sys_link;
459 	sysent[SYS_symlink].sy_call = (sy_call_t *)sys_symlink;
460 	sysent[SYS_linkat].sy_call = (sy_call_t *)sys_linkat;
461 
462 #if defined(COMPAT_FREEBSD32)
463 	freebsd32_sysent[FREEBSD32_SYS_chdir].sy_call = (sy_call_t *)sys_chdir;
464 	freebsd32_sysent[FREEBSD32_SYS_open].sy_call = (sy_call_t *)sys_open;
465 	freebsd32_sysent[FREEBSD32_SYS_openat].sy_call = (sy_call_t *)sys_openat;
466 	freebsd32_sysent[FREEBSD32_SYS_rename].sy_call = (sy_call_t *)sys_rename;
467 	freebsd32_sysent[FREEBSD32_SYS_unlink].sy_call = (sy_call_t *)sys_unlink;
468 	freebsd32_sysent[FREEBSD32_SYS_link].sy_call = (sy_call_t *)sys_link;
469 	freebsd32_sysent[FREEBSD32_SYS_symlink].sy_call = (sy_call_t *)sys_symlink;
470 	freebsd32_sysent[FREEBSD32_SYS_linkat].sy_call = (sy_call_t *)sys_linkat;
471 #endif	/* COMPAT_FREEBSD32 */
472 
473 	EVENTHANDLER_DEREGISTER(process_exec, filemon_exec_tag);
474 	EVENTHANDLER_DEREGISTER(process_exit, filemon_exit_tag);
475 	EVENTHANDLER_DEREGISTER(process_fork, filemon_fork_tag);
476 }
477