1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD 3 * 4 * Copyright (c) 2011, David E. O'Brien. 5 * Copyright (c) 2009-2011, Juniper Networks, Inc. 6 * Copyright (c) 2015-2016, EMC Corp. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY JUNIPER NETWORKS AND CONTRIBUTORS ``AS IS'' AND 19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL JUNIPER NETWORKS OR CONTRIBUTORS BE LIABLE 22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28 * SUCH DAMAGE. 29 */ 30 31 #include <sys/cdefs.h> 32 __FBSDID("$FreeBSD$"); 33 34 #include <sys/eventhandler.h> 35 #include <sys/filedesc.h> 36 #include <sys/imgact.h> 37 #include <sys/priv.h> 38 #include <sys/sx.h> 39 #include <sys/sysent.h> 40 #include <sys/vnode.h> 41 42 #include <machine/stdarg.h> 43 44 static void filemon_output_event(struct filemon *filemon, const char *fmt, ...) 45 __printflike(2, 3); 46 47 static eventhandler_tag filemon_exec_tag; 48 static eventhandler_tag filemon_exit_tag; 49 static eventhandler_tag filemon_fork_tag; 50 51 static void 52 filemon_output(struct filemon *filemon, char *msg, size_t len) 53 { 54 struct uio auio; 55 struct iovec aiov; 56 int error; 57 58 if (filemon->fp == NULL) 59 return; 60 61 aiov.iov_base = msg; 62 aiov.iov_len = len; 63 auio.uio_iov = &aiov; 64 auio.uio_iovcnt = 1; 65 auio.uio_resid = len; 66 auio.uio_segflg = UIO_SYSSPACE; 67 auio.uio_rw = UIO_WRITE; 68 auio.uio_td = curthread; 69 auio.uio_offset = (off_t) -1; 70 71 if (filemon->fp->f_type == DTYPE_VNODE) 72 bwillwrite(); 73 74 error = fo_write(filemon->fp, &auio, filemon->cred, 0, curthread); 75 if (error != 0 && filemon->error == 0) 76 filemon->error = error; 77 } 78 79 static void 80 filemon_output_event(struct filemon *filemon, const char *fmt, ...) 81 { 82 va_list ap; 83 size_t len; 84 85 va_start(ap, fmt); 86 len = vsnprintf(filemon->msgbufr, sizeof(filemon->msgbufr), fmt, ap); 87 va_end(ap); 88 /* The event is truncated but still worth logging. */ 89 if (len >= sizeof(filemon->msgbufr)) 90 len = sizeof(filemon->msgbufr) - 1; 91 filemon_output(filemon, filemon->msgbufr, len); 92 } 93 94 static int 95 filemon_wrapper_chdir(struct thread *td, struct chdir_args *uap) 96 { 97 int error, ret; 98 struct filemon *filemon; 99 100 if ((ret = sys_chdir(td, uap)) == 0) { 101 if ((filemon = filemon_proc_get(curproc)) != NULL) { 102 if ((error = copyinstr(uap->path, filemon->fname1, 103 sizeof(filemon->fname1), NULL)) != 0) { 104 filemon->error = error; 105 goto copyfail; 106 } 107 108 filemon_output_event(filemon, "C %d %s\n", 109 curproc->p_pid, filemon->fname1); 110 copyfail: 111 filemon_drop(filemon); 112 } 113 } 114 115 return (ret); 116 } 117 118 static void 119 filemon_event_process_exec(void *arg __unused, struct proc *p, 120 struct image_params *imgp) 121 { 122 struct filemon *filemon; 123 124 if ((filemon = filemon_proc_get(p)) != NULL) { 125 filemon_output_event(filemon, "E %d %s\n", 126 p->p_pid, 127 imgp->execpath != NULL ? imgp->execpath : "<unknown>"); 128 129 /* If the credentials changed then cease tracing. */ 130 if (imgp->newcred != NULL && 131 imgp->credential_setid && 132 priv_check_cred(filemon->cred, 133 PRIV_DEBUG_DIFFCRED, 0) != 0) { 134 /* 135 * It may have changed to NULL already, but 136 * will not be re-attached by anything else. 137 */ 138 if (p->p_filemon != NULL) { 139 KASSERT(p->p_filemon == filemon, 140 ("%s: proc %p didn't have expected" 141 " filemon %p", __func__, p, filemon)); 142 filemon_proc_drop(p); 143 } 144 } 145 146 147 filemon_drop(filemon); 148 } 149 } 150 151 static void 152 _filemon_wrapper_openat(struct thread *td, char *upath, int flags, int fd) 153 { 154 int error; 155 struct file *fp; 156 struct filemon *filemon; 157 char *atpath, *freepath; 158 cap_rights_t rights; 159 160 if ((filemon = filemon_proc_get(curproc)) != NULL) { 161 atpath = ""; 162 freepath = NULL; 163 fp = NULL; 164 165 if ((error = copyinstr(upath, filemon->fname1, 166 sizeof(filemon->fname1), NULL)) != 0) { 167 filemon->error = error; 168 goto copyfail; 169 } 170 171 if (filemon->fname1[0] != '/' && fd != AT_FDCWD) { 172 /* 173 * rats - we cannot do too much about this. 174 * the trace should show a dir we read 175 * recently.. output an A record as a clue 176 * until we can do better. 177 * XXX: This may be able to come out with 178 * the namecache lookup now. 179 */ 180 filemon_output_event(filemon, "A %d %s\n", 181 curproc->p_pid, filemon->fname1); 182 /* 183 * Try to resolve the path from the vnode using the 184 * namecache. It may be inaccurate, but better 185 * than nothing. 186 */ 187 if (getvnode(td, fd, 188 cap_rights_init(&rights, CAP_LOOKUP), &fp) == 0) { 189 vn_fullpath(td, fp->f_vnode, &atpath, 190 &freepath); 191 } 192 } 193 if (flags & O_RDWR) { 194 /* 195 * We'll get the W record below, but need 196 * to also output an R to distinguish from 197 * O_WRONLY. 198 */ 199 filemon_output_event(filemon, "R %d %s%s%s\n", 200 curproc->p_pid, atpath, 201 atpath[0] != '\0' ? "/" : "", filemon->fname1); 202 } 203 204 filemon_output_event(filemon, "%c %d %s%s%s\n", 205 (flags & O_ACCMODE) ? 'W':'R', 206 curproc->p_pid, atpath, 207 atpath[0] != '\0' ? "/" : "", filemon->fname1); 208 copyfail: 209 filemon_drop(filemon); 210 if (fp != NULL) 211 fdrop(fp, td); 212 free(freepath, M_TEMP); 213 } 214 } 215 216 static int 217 filemon_wrapper_open(struct thread *td, struct open_args *uap) 218 { 219 int ret; 220 221 if ((ret = sys_open(td, uap)) == 0) 222 _filemon_wrapper_openat(td, uap->path, uap->flags, AT_FDCWD); 223 224 return (ret); 225 } 226 227 static int 228 filemon_wrapper_openat(struct thread *td, struct openat_args *uap) 229 { 230 int ret; 231 232 if ((ret = sys_openat(td, uap)) == 0) 233 _filemon_wrapper_openat(td, uap->path, uap->flag, uap->fd); 234 235 return (ret); 236 } 237 238 static int 239 filemon_wrapper_rename(struct thread *td, struct rename_args *uap) 240 { 241 int error, ret; 242 struct filemon *filemon; 243 244 if ((ret = sys_rename(td, uap)) == 0) { 245 if ((filemon = filemon_proc_get(curproc)) != NULL) { 246 if (((error = copyinstr(uap->from, filemon->fname1, 247 sizeof(filemon->fname1), NULL)) != 0) || 248 ((error = copyinstr(uap->to, filemon->fname2, 249 sizeof(filemon->fname2), NULL)) != 0)) { 250 filemon->error = error; 251 goto copyfail; 252 } 253 254 filemon_output_event(filemon, "M %d '%s' '%s'\n", 255 curproc->p_pid, filemon->fname1, filemon->fname2); 256 copyfail: 257 filemon_drop(filemon); 258 } 259 } 260 261 return (ret); 262 } 263 264 static void 265 _filemon_wrapper_link(struct thread *td, char *upath1, char *upath2) 266 { 267 struct filemon *filemon; 268 int error; 269 270 if ((filemon = filemon_proc_get(curproc)) != NULL) { 271 if (((error = copyinstr(upath1, filemon->fname1, 272 sizeof(filemon->fname1), NULL)) != 0) || 273 ((error = copyinstr(upath2, filemon->fname2, 274 sizeof(filemon->fname2), NULL)) != 0)) { 275 filemon->error = error; 276 goto copyfail; 277 } 278 279 filemon_output_event(filemon, "L %d '%s' '%s'\n", 280 curproc->p_pid, filemon->fname1, filemon->fname2); 281 copyfail: 282 filemon_drop(filemon); 283 } 284 } 285 286 static int 287 filemon_wrapper_link(struct thread *td, struct link_args *uap) 288 { 289 int ret; 290 291 if ((ret = sys_link(td, uap)) == 0) 292 _filemon_wrapper_link(td, uap->path, uap->link); 293 294 return (ret); 295 } 296 297 static int 298 filemon_wrapper_symlink(struct thread *td, struct symlink_args *uap) 299 { 300 int ret; 301 302 if ((ret = sys_symlink(td, uap)) == 0) 303 _filemon_wrapper_link(td, uap->path, uap->link); 304 305 return (ret); 306 } 307 308 static int 309 filemon_wrapper_linkat(struct thread *td, struct linkat_args *uap) 310 { 311 int ret; 312 313 if ((ret = sys_linkat(td, uap)) == 0) 314 _filemon_wrapper_link(td, uap->path1, uap->path2); 315 316 return (ret); 317 } 318 319 static void 320 filemon_event_process_exit(void *arg __unused, struct proc *p) 321 { 322 struct filemon *filemon; 323 324 if ((filemon = filemon_proc_get(p)) != NULL) { 325 filemon_output_event(filemon, "X %d %d %d\n", 326 p->p_pid, p->p_xexit, p->p_xsig); 327 328 /* 329 * filemon_untrack_processes() may have dropped this p_filemon 330 * already while in filemon_proc_get() before acquiring the 331 * filemon lock. 332 */ 333 KASSERT(p->p_filemon == NULL || p->p_filemon == filemon, 334 ("%s: p %p was attached while exiting, expected " 335 "filemon %p or NULL", __func__, p, filemon)); 336 if (p->p_filemon == filemon) 337 filemon_proc_drop(p); 338 339 filemon_drop(filemon); 340 } 341 } 342 343 static int 344 filemon_wrapper_unlink(struct thread *td, struct unlink_args *uap) 345 { 346 int error, ret; 347 struct filemon *filemon; 348 349 if ((ret = sys_unlink(td, uap)) == 0) { 350 if ((filemon = filemon_proc_get(curproc)) != NULL) { 351 if ((error = copyinstr(uap->path, filemon->fname1, 352 sizeof(filemon->fname1), NULL)) != 0) { 353 filemon->error = error; 354 goto copyfail; 355 } 356 357 filemon_output_event(filemon, "D %d %s\n", 358 curproc->p_pid, filemon->fname1); 359 copyfail: 360 filemon_drop(filemon); 361 } 362 } 363 364 return (ret); 365 } 366 367 static void 368 filemon_event_process_fork(void *arg __unused, struct proc *p1, 369 struct proc *p2, int flags __unused) 370 { 371 struct filemon *filemon; 372 373 if ((filemon = filemon_proc_get(p1)) != NULL) { 374 filemon_output_event(filemon, "F %d %d\n", 375 p1->p_pid, p2->p_pid); 376 377 /* 378 * filemon_untrack_processes() or 379 * filemon_ioctl(FILEMON_SET_PID) may have changed the parent's 380 * p_filemon while in filemon_proc_get() before acquiring the 381 * filemon lock. Only inherit if the parent is still traced by 382 * this filemon. 383 */ 384 if (p1->p_filemon == filemon) { 385 PROC_LOCK(p2); 386 /* 387 * It may have been attached to already by a new 388 * filemon. 389 */ 390 if (p2->p_filemon == NULL) { 391 p2->p_filemon = filemon_acquire(filemon); 392 ++filemon->proccnt; 393 } 394 PROC_UNLOCK(p2); 395 } 396 397 filemon_drop(filemon); 398 } 399 } 400 401 static void 402 filemon_wrapper_install(void) 403 { 404 405 sysent[SYS_chdir].sy_call = (sy_call_t *) filemon_wrapper_chdir; 406 sysent[SYS_open].sy_call = (sy_call_t *) filemon_wrapper_open; 407 sysent[SYS_openat].sy_call = (sy_call_t *) filemon_wrapper_openat; 408 sysent[SYS_rename].sy_call = (sy_call_t *) filemon_wrapper_rename; 409 sysent[SYS_unlink].sy_call = (sy_call_t *) filemon_wrapper_unlink; 410 sysent[SYS_link].sy_call = (sy_call_t *) filemon_wrapper_link; 411 sysent[SYS_symlink].sy_call = (sy_call_t *) filemon_wrapper_symlink; 412 sysent[SYS_linkat].sy_call = (sy_call_t *) filemon_wrapper_linkat; 413 414 #if defined(COMPAT_FREEBSD32) 415 freebsd32_sysent[FREEBSD32_SYS_chdir].sy_call = (sy_call_t *) filemon_wrapper_chdir; 416 freebsd32_sysent[FREEBSD32_SYS_open].sy_call = (sy_call_t *) filemon_wrapper_open; 417 freebsd32_sysent[FREEBSD32_SYS_openat].sy_call = (sy_call_t *) filemon_wrapper_openat; 418 freebsd32_sysent[FREEBSD32_SYS_rename].sy_call = (sy_call_t *) filemon_wrapper_rename; 419 freebsd32_sysent[FREEBSD32_SYS_unlink].sy_call = (sy_call_t *) filemon_wrapper_unlink; 420 freebsd32_sysent[FREEBSD32_SYS_link].sy_call = (sy_call_t *) filemon_wrapper_link; 421 freebsd32_sysent[FREEBSD32_SYS_symlink].sy_call = (sy_call_t *) filemon_wrapper_symlink; 422 freebsd32_sysent[FREEBSD32_SYS_linkat].sy_call = (sy_call_t *) filemon_wrapper_linkat; 423 #endif /* COMPAT_FREEBSD32 */ 424 425 filemon_exec_tag = EVENTHANDLER_REGISTER(process_exec, 426 filemon_event_process_exec, NULL, EVENTHANDLER_PRI_LAST); 427 filemon_exit_tag = EVENTHANDLER_REGISTER(process_exit, 428 filemon_event_process_exit, NULL, EVENTHANDLER_PRI_LAST); 429 filemon_fork_tag = EVENTHANDLER_REGISTER(process_fork, 430 filemon_event_process_fork, NULL, EVENTHANDLER_PRI_LAST); 431 } 432 433 static void 434 filemon_wrapper_deinstall(void) 435 { 436 437 sysent[SYS_chdir].sy_call = (sy_call_t *)sys_chdir; 438 sysent[SYS_open].sy_call = (sy_call_t *)sys_open; 439 sysent[SYS_openat].sy_call = (sy_call_t *)sys_openat; 440 sysent[SYS_rename].sy_call = (sy_call_t *)sys_rename; 441 sysent[SYS_unlink].sy_call = (sy_call_t *)sys_unlink; 442 sysent[SYS_link].sy_call = (sy_call_t *)sys_link; 443 sysent[SYS_symlink].sy_call = (sy_call_t *)sys_symlink; 444 sysent[SYS_linkat].sy_call = (sy_call_t *)sys_linkat; 445 446 #if defined(COMPAT_FREEBSD32) 447 freebsd32_sysent[FREEBSD32_SYS_chdir].sy_call = (sy_call_t *)sys_chdir; 448 freebsd32_sysent[FREEBSD32_SYS_open].sy_call = (sy_call_t *)sys_open; 449 freebsd32_sysent[FREEBSD32_SYS_openat].sy_call = (sy_call_t *)sys_openat; 450 freebsd32_sysent[FREEBSD32_SYS_rename].sy_call = (sy_call_t *)sys_rename; 451 freebsd32_sysent[FREEBSD32_SYS_unlink].sy_call = (sy_call_t *)sys_unlink; 452 freebsd32_sysent[FREEBSD32_SYS_link].sy_call = (sy_call_t *)sys_link; 453 freebsd32_sysent[FREEBSD32_SYS_symlink].sy_call = (sy_call_t *)sys_symlink; 454 freebsd32_sysent[FREEBSD32_SYS_linkat].sy_call = (sy_call_t *)sys_linkat; 455 #endif /* COMPAT_FREEBSD32 */ 456 457 EVENTHANDLER_DEREGISTER(process_exec, filemon_exec_tag); 458 EVENTHANDLER_DEREGISTER(process_exit, filemon_exit_tag); 459 EVENTHANDLER_DEREGISTER(process_fork, filemon_fork_tag); 460 } 461