1 /*- 2 * Copyright (c) 2006 Robert N. M. Watson 3 * Copyright (c) 2008-2009 Apple, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 */ 29 30 #include <sys/cdefs.h> 31 __FBSDID("$FreeBSD$"); 32 33 #include <sys/param.h> 34 #include <sys/condvar.h> 35 #include <sys/conf.h> 36 #include <sys/eventhandler.h> 37 #include <sys/filio.h> 38 #include <sys/kernel.h> 39 #include <sys/lock.h> 40 #include <sys/malloc.h> 41 #include <sys/mutex.h> 42 #include <sys/poll.h> 43 #include <sys/proc.h> 44 #include <sys/queue.h> 45 #include <sys/rwlock.h> 46 #include <sys/selinfo.h> 47 #include <sys/sigio.h> 48 #include <sys/signal.h> 49 #include <sys/signalvar.h> 50 #include <sys/sx.h> 51 #include <sys/systm.h> 52 #include <sys/uio.h> 53 54 #include <security/audit/audit.h> 55 #include <security/audit/audit_ioctl.h> 56 #include <security/audit/audit_private.h> 57 58 /* 59 * Implementation of a clonable special device providing a live stream of BSM 60 * audit data. Consumers receive a "tee" of the system audit trail by 61 * default, but may also define alternative event selections using ioctls. 62 * This interface provides unreliable but timely access to audit events. 63 * Consumers should be very careful to avoid introducing event cycles. 64 */ 65 66 /* 67 * Memory types. 68 */ 69 static MALLOC_DEFINE(M_AUDIT_PIPE, "audit_pipe", "Audit pipes"); 70 static MALLOC_DEFINE(M_AUDIT_PIPE_ENTRY, "audit_pipeent", 71 "Audit pipe entries and buffers"); 72 static MALLOC_DEFINE(M_AUDIT_PIPE_PRESELECT, "audit_pipe_presel", 73 "Audit pipe preselection structure"); 74 75 /* 76 * Audit pipe buffer parameters. 77 */ 78 #define AUDIT_PIPE_QLIMIT_DEFAULT (128) 79 #define AUDIT_PIPE_QLIMIT_MIN (1) 80 #define AUDIT_PIPE_QLIMIT_MAX (1024) 81 82 /* 83 * Description of an entry in an audit_pipe. 84 */ 85 struct audit_pipe_entry { 86 void *ape_record; 87 u_int ape_record_len; 88 TAILQ_ENTRY(audit_pipe_entry) ape_queue; 89 }; 90 91 /* 92 * Audit pipes allow processes to express "interest" in the set of records 93 * that are delivered via the pipe. They do this in a similar manner to the 94 * mechanism for audit trail configuration, by expressing two global masks, 95 * and optionally expressing per-auid masks. The following data structure is 96 * the per-auid mask description. The global state is stored in the audit 97 * pipe data structure. 98 * 99 * We may want to consider a more space/time-efficient data structure once 100 * usage patterns for per-auid specifications are clear. 101 */ 102 struct audit_pipe_preselect { 103 au_id_t app_auid; 104 au_mask_t app_mask; 105 TAILQ_ENTRY(audit_pipe_preselect) app_list; 106 }; 107 108 /* 109 * Description of an individual audit_pipe. Consists largely of a bounded 110 * length queue. 111 */ 112 #define AUDIT_PIPE_ASYNC 0x00000001 113 #define AUDIT_PIPE_NBIO 0x00000002 114 struct audit_pipe { 115 u_int ap_flags; 116 117 struct selinfo ap_selinfo; 118 struct sigio *ap_sigio; 119 120 /* 121 * Per-pipe mutex protecting most fields in this data structure. 122 */ 123 struct mtx ap_mtx; 124 125 /* 126 * Per-pipe sleep lock serializing user-generated reads and flushes. 127 * uiomove() is called to copy out the current head record's data 128 * while the record remains in the queue, so we prevent other threads 129 * from removing it using this lock. 130 */ 131 struct sx ap_sx; 132 133 /* 134 * Condition variable to signal when data has been delivered to a 135 * pipe. 136 */ 137 struct cv ap_cv; 138 139 /* 140 * Various queue-reated variables: qlen and qlimit are a count of 141 * records in the queue; qbyteslen is the number of bytes of data 142 * across all records, and qoffset is the amount read so far of the 143 * first record in the queue. The number of bytes available for 144 * reading in the queue is qbyteslen - qoffset. 145 */ 146 u_int ap_qlen; 147 u_int ap_qlimit; 148 u_int ap_qbyteslen; 149 u_int ap_qoffset; 150 151 /* 152 * Per-pipe operation statistics. 153 */ 154 u_int64_t ap_inserts; /* Records added. */ 155 u_int64_t ap_reads; /* Records read. */ 156 u_int64_t ap_drops; /* Records dropped. */ 157 158 /* 159 * Fields relating to pipe interest: global masks for unmatched 160 * processes (attributable, non-attributable), and a list of specific 161 * interest specifications by auid. 162 */ 163 int ap_preselect_mode; 164 au_mask_t ap_preselect_flags; 165 au_mask_t ap_preselect_naflags; 166 TAILQ_HEAD(, audit_pipe_preselect) ap_preselect_list; 167 168 /* 169 * Current pending record list. Protected by a combination of ap_mtx 170 * and ap_sx. Note particularly that *both* locks are required to 171 * remove a record from the head of the queue, as an in-progress read 172 * may sleep while copying and therefore cannot hold ap_mtx. 173 */ 174 TAILQ_HEAD(, audit_pipe_entry) ap_queue; 175 176 /* 177 * Global pipe list. 178 */ 179 TAILQ_ENTRY(audit_pipe) ap_list; 180 }; 181 182 #define AUDIT_PIPE_LOCK(ap) mtx_lock(&(ap)->ap_mtx) 183 #define AUDIT_PIPE_LOCK_ASSERT(ap) mtx_assert(&(ap)->ap_mtx, MA_OWNED) 184 #define AUDIT_PIPE_LOCK_DESTROY(ap) mtx_destroy(&(ap)->ap_mtx) 185 #define AUDIT_PIPE_LOCK_INIT(ap) mtx_init(&(ap)->ap_mtx, \ 186 "audit_pipe_mtx", NULL, MTX_DEF) 187 #define AUDIT_PIPE_UNLOCK(ap) mtx_unlock(&(ap)->ap_mtx) 188 #define AUDIT_PIPE_MTX(ap) (&(ap)->ap_mtx) 189 190 #define AUDIT_PIPE_SX_LOCK_DESTROY(ap) sx_destroy(&(ap)->ap_sx) 191 #define AUDIT_PIPE_SX_LOCK_INIT(ap) sx_init(&(ap)->ap_sx, "audit_pipe_sx") 192 #define AUDIT_PIPE_SX_XLOCK_ASSERT(ap) sx_assert(&(ap)->ap_sx, SA_XLOCKED) 193 #define AUDIT_PIPE_SX_XLOCK_SIG(ap) sx_xlock_sig(&(ap)->ap_sx) 194 #define AUDIT_PIPE_SX_XUNLOCK(ap) sx_xunlock(&(ap)->ap_sx) 195 196 /* 197 * Global list of audit pipes, rwlock to protect it. Individual record 198 * queues on pipes are protected by per-pipe locks; these locks synchronize 199 * between threads walking the list to deliver to individual pipes and add/ 200 * remove of pipes, and are mostly acquired for read. 201 */ 202 static TAILQ_HEAD(, audit_pipe) audit_pipe_list; 203 static struct rwlock audit_pipe_lock; 204 205 #define AUDIT_PIPE_LIST_LOCK_INIT() rw_init(&audit_pipe_lock, \ 206 "audit_pipe_list_lock") 207 #define AUDIT_PIPE_LIST_LOCK_DESTROY() rw_destroy(&audit_pipe_lock) 208 #define AUDIT_PIPE_LIST_RLOCK() rw_rlock(&audit_pipe_lock) 209 #define AUDIT_PIPE_LIST_RUNLOCK() rw_runlock(&audit_pipe_lock) 210 #define AUDIT_PIPE_LIST_WLOCK() rw_wlock(&audit_pipe_lock) 211 #define AUDIT_PIPE_LIST_WLOCK_ASSERT() rw_assert(&audit_pipe_lock, \ 212 RA_WLOCKED) 213 #define AUDIT_PIPE_LIST_WUNLOCK() rw_wunlock(&audit_pipe_lock) 214 215 /* 216 * Audit pipe device. 217 */ 218 static struct cdev *audit_pipe_dev; 219 220 #define AUDIT_PIPE_NAME "auditpipe" 221 222 /* 223 * Special device methods and definition. 224 */ 225 static d_open_t audit_pipe_open; 226 static d_read_t audit_pipe_read; 227 static d_ioctl_t audit_pipe_ioctl; 228 static d_poll_t audit_pipe_poll; 229 static d_kqfilter_t audit_pipe_kqfilter; 230 231 static struct cdevsw audit_pipe_cdevsw = { 232 .d_version = D_VERSION, 233 .d_open = audit_pipe_open, 234 .d_read = audit_pipe_read, 235 .d_ioctl = audit_pipe_ioctl, 236 .d_poll = audit_pipe_poll, 237 .d_kqfilter = audit_pipe_kqfilter, 238 .d_name = AUDIT_PIPE_NAME, 239 }; 240 241 static int audit_pipe_kqread(struct knote *note, long hint); 242 static void audit_pipe_kqdetach(struct knote *note); 243 244 static struct filterops audit_pipe_read_filterops = { 245 .f_isfd = 1, 246 .f_attach = NULL, 247 .f_detach = audit_pipe_kqdetach, 248 .f_event = audit_pipe_kqread, 249 }; 250 251 /* 252 * Some global statistics on audit pipes. 253 */ 254 static int audit_pipe_count; /* Current number of pipes. */ 255 static u_int64_t audit_pipe_ever; /* Pipes ever allocated. */ 256 static u_int64_t audit_pipe_records; /* Records seen. */ 257 static u_int64_t audit_pipe_drops; /* Global record drop count. */ 258 259 /* 260 * Free an audit pipe entry. 261 */ 262 static void 263 audit_pipe_entry_free(struct audit_pipe_entry *ape) 264 { 265 266 free(ape->ape_record, M_AUDIT_PIPE_ENTRY); 267 free(ape, M_AUDIT_PIPE_ENTRY); 268 } 269 270 /* 271 * Find an audit pipe preselection specification for an auid, if any. 272 */ 273 static struct audit_pipe_preselect * 274 audit_pipe_preselect_find(struct audit_pipe *ap, au_id_t auid) 275 { 276 struct audit_pipe_preselect *app; 277 278 AUDIT_PIPE_LOCK_ASSERT(ap); 279 280 TAILQ_FOREACH(app, &ap->ap_preselect_list, app_list) { 281 if (app->app_auid == auid) 282 return (app); 283 } 284 return (NULL); 285 } 286 287 /* 288 * Query the per-pipe mask for a specific auid. 289 */ 290 static int 291 audit_pipe_preselect_get(struct audit_pipe *ap, au_id_t auid, 292 au_mask_t *maskp) 293 { 294 struct audit_pipe_preselect *app; 295 int error; 296 297 AUDIT_PIPE_LOCK(ap); 298 app = audit_pipe_preselect_find(ap, auid); 299 if (app != NULL) { 300 *maskp = app->app_mask; 301 error = 0; 302 } else 303 error = ENOENT; 304 AUDIT_PIPE_UNLOCK(ap); 305 return (error); 306 } 307 308 /* 309 * Set the per-pipe mask for a specific auid. Add a new entry if needed; 310 * otherwise, update the current entry. 311 */ 312 static void 313 audit_pipe_preselect_set(struct audit_pipe *ap, au_id_t auid, au_mask_t mask) 314 { 315 struct audit_pipe_preselect *app, *app_new; 316 317 /* 318 * Pessimistically assume that the auid doesn't already have a mask 319 * set, and allocate. We will free it if it is unneeded. 320 */ 321 app_new = malloc(sizeof(*app_new), M_AUDIT_PIPE_PRESELECT, M_WAITOK); 322 AUDIT_PIPE_LOCK(ap); 323 app = audit_pipe_preselect_find(ap, auid); 324 if (app == NULL) { 325 app = app_new; 326 app_new = NULL; 327 app->app_auid = auid; 328 TAILQ_INSERT_TAIL(&ap->ap_preselect_list, app, app_list); 329 } 330 app->app_mask = mask; 331 AUDIT_PIPE_UNLOCK(ap); 332 if (app_new != NULL) 333 free(app_new, M_AUDIT_PIPE_PRESELECT); 334 } 335 336 /* 337 * Delete a per-auid mask on an audit pipe. 338 */ 339 static int 340 audit_pipe_preselect_delete(struct audit_pipe *ap, au_id_t auid) 341 { 342 struct audit_pipe_preselect *app; 343 int error; 344 345 AUDIT_PIPE_LOCK(ap); 346 app = audit_pipe_preselect_find(ap, auid); 347 if (app != NULL) { 348 TAILQ_REMOVE(&ap->ap_preselect_list, app, app_list); 349 error = 0; 350 } else 351 error = ENOENT; 352 AUDIT_PIPE_UNLOCK(ap); 353 if (app != NULL) 354 free(app, M_AUDIT_PIPE_PRESELECT); 355 return (error); 356 } 357 358 /* 359 * Delete all per-auid masks on an audit pipe. 360 */ 361 static void 362 audit_pipe_preselect_flush_locked(struct audit_pipe *ap) 363 { 364 struct audit_pipe_preselect *app; 365 366 AUDIT_PIPE_LOCK_ASSERT(ap); 367 368 while ((app = TAILQ_FIRST(&ap->ap_preselect_list)) != NULL) { 369 TAILQ_REMOVE(&ap->ap_preselect_list, app, app_list); 370 free(app, M_AUDIT_PIPE_PRESELECT); 371 } 372 } 373 374 static void 375 audit_pipe_preselect_flush(struct audit_pipe *ap) 376 { 377 378 AUDIT_PIPE_LOCK(ap); 379 audit_pipe_preselect_flush_locked(ap); 380 AUDIT_PIPE_UNLOCK(ap); 381 } 382 383 /*- 384 * Determine whether a specific audit pipe matches a record with these 385 * properties. Algorithm is as follows: 386 * 387 * - If the pipe is configured to track the default trail configuration, then 388 * use the results of global preselection matching. 389 * - If not, search for a specifically configured auid entry matching the 390 * event. If an entry is found, use that. 391 * - Otherwise, use the default flags or naflags configured for the pipe. 392 */ 393 static int 394 audit_pipe_preselect_check(struct audit_pipe *ap, au_id_t auid, 395 au_event_t event, au_class_t class, int sorf, int trail_preselect) 396 { 397 struct audit_pipe_preselect *app; 398 399 AUDIT_PIPE_LOCK_ASSERT(ap); 400 401 switch (ap->ap_preselect_mode) { 402 case AUDITPIPE_PRESELECT_MODE_TRAIL: 403 return (trail_preselect); 404 405 case AUDITPIPE_PRESELECT_MODE_LOCAL: 406 app = audit_pipe_preselect_find(ap, auid); 407 if (app == NULL) { 408 if (auid == AU_DEFAUDITID) 409 return (au_preselect(event, class, 410 &ap->ap_preselect_naflags, sorf)); 411 else 412 return (au_preselect(event, class, 413 &ap->ap_preselect_flags, sorf)); 414 } else 415 return (au_preselect(event, class, &app->app_mask, 416 sorf)); 417 418 default: 419 panic("audit_pipe_preselect_check: mode %d", 420 ap->ap_preselect_mode); 421 } 422 423 return (0); 424 } 425 426 /* 427 * Determine whether there exists a pipe interested in a record with specific 428 * properties. 429 */ 430 int 431 audit_pipe_preselect(au_id_t auid, au_event_t event, au_class_t class, 432 int sorf, int trail_preselect) 433 { 434 struct audit_pipe *ap; 435 436 /* Lockless read to avoid acquiring the global lock if not needed. */ 437 if (TAILQ_EMPTY(&audit_pipe_list)) 438 return (0); 439 440 AUDIT_PIPE_LIST_RLOCK(); 441 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) { 442 AUDIT_PIPE_LOCK(ap); 443 if (audit_pipe_preselect_check(ap, auid, event, class, sorf, 444 trail_preselect)) { 445 AUDIT_PIPE_UNLOCK(ap); 446 AUDIT_PIPE_LIST_RUNLOCK(); 447 return (1); 448 } 449 AUDIT_PIPE_UNLOCK(ap); 450 } 451 AUDIT_PIPE_LIST_RUNLOCK(); 452 return (0); 453 } 454 455 /* 456 * Append individual record to a queue -- allocate queue-local buffer, and 457 * add to the queue. If the queue is full or we can't allocate memory, drop 458 * the newest record. 459 */ 460 static void 461 audit_pipe_append(struct audit_pipe *ap, void *record, u_int record_len) 462 { 463 struct audit_pipe_entry *ape; 464 465 AUDIT_PIPE_LOCK_ASSERT(ap); 466 467 if (ap->ap_qlen >= ap->ap_qlimit) { 468 ap->ap_drops++; 469 audit_pipe_drops++; 470 return; 471 } 472 473 ape = malloc(sizeof(*ape), M_AUDIT_PIPE_ENTRY, M_NOWAIT | M_ZERO); 474 if (ape == NULL) { 475 ap->ap_drops++; 476 audit_pipe_drops++; 477 return; 478 } 479 480 ape->ape_record = malloc(record_len, M_AUDIT_PIPE_ENTRY, M_NOWAIT); 481 if (ape->ape_record == NULL) { 482 free(ape, M_AUDIT_PIPE_ENTRY); 483 ap->ap_drops++; 484 audit_pipe_drops++; 485 return; 486 } 487 488 bcopy(record, ape->ape_record, record_len); 489 ape->ape_record_len = record_len; 490 491 TAILQ_INSERT_TAIL(&ap->ap_queue, ape, ape_queue); 492 ap->ap_inserts++; 493 ap->ap_qlen++; 494 ap->ap_qbyteslen += ape->ape_record_len; 495 selwakeuppri(&ap->ap_selinfo, PSOCK); 496 KNOTE_LOCKED(&ap->ap_selinfo.si_note, 0); 497 if (ap->ap_flags & AUDIT_PIPE_ASYNC) 498 pgsigio(&ap->ap_sigio, SIGIO, 0); 499 cv_broadcast(&ap->ap_cv); 500 } 501 502 /* 503 * audit_pipe_submit(): audit_worker submits audit records via this 504 * interface, which arranges for them to be delivered to pipe queues. 505 */ 506 void 507 audit_pipe_submit(au_id_t auid, au_event_t event, au_class_t class, int sorf, 508 int trail_select, void *record, u_int record_len) 509 { 510 struct audit_pipe *ap; 511 512 /* 513 * Lockless read to avoid lock overhead if pipes are not in use. 514 */ 515 if (TAILQ_FIRST(&audit_pipe_list) == NULL) 516 return; 517 518 AUDIT_PIPE_LIST_RLOCK(); 519 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) { 520 AUDIT_PIPE_LOCK(ap); 521 if (audit_pipe_preselect_check(ap, auid, event, class, sorf, 522 trail_select)) 523 audit_pipe_append(ap, record, record_len); 524 AUDIT_PIPE_UNLOCK(ap); 525 } 526 AUDIT_PIPE_LIST_RUNLOCK(); 527 528 /* Unlocked increment. */ 529 audit_pipe_records++; 530 } 531 532 /* 533 * audit_pipe_submit_user(): the same as audit_pipe_submit(), except that 534 * since we don't currently have selection information available, it is 535 * delivered to the pipe unconditionally. 536 * 537 * XXXRW: This is a bug. The BSM check routine for submitting a user record 538 * should parse that information and return it. 539 */ 540 void 541 audit_pipe_submit_user(void *record, u_int record_len) 542 { 543 struct audit_pipe *ap; 544 545 /* 546 * Lockless read to avoid lock overhead if pipes are not in use. 547 */ 548 if (TAILQ_FIRST(&audit_pipe_list) == NULL) 549 return; 550 551 AUDIT_PIPE_LIST_RLOCK(); 552 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) { 553 AUDIT_PIPE_LOCK(ap); 554 audit_pipe_append(ap, record, record_len); 555 AUDIT_PIPE_UNLOCK(ap); 556 } 557 AUDIT_PIPE_LIST_RUNLOCK(); 558 559 /* Unlocked increment. */ 560 audit_pipe_records++; 561 } 562 563 /* 564 * Allocate a new audit pipe. Connects the pipe, on success, to the global 565 * list and updates statistics. 566 */ 567 static struct audit_pipe * 568 audit_pipe_alloc(void) 569 { 570 struct audit_pipe *ap; 571 572 ap = malloc(sizeof(*ap), M_AUDIT_PIPE, M_NOWAIT | M_ZERO); 573 if (ap == NULL) 574 return (NULL); 575 ap->ap_qlimit = AUDIT_PIPE_QLIMIT_DEFAULT; 576 TAILQ_INIT(&ap->ap_queue); 577 knlist_init_mtx(&ap->ap_selinfo.si_note, AUDIT_PIPE_MTX(ap)); 578 AUDIT_PIPE_LOCK_INIT(ap); 579 AUDIT_PIPE_SX_LOCK_INIT(ap); 580 cv_init(&ap->ap_cv, "audit_pipe"); 581 582 /* 583 * Default flags, naflags, and auid-specific preselection settings to 584 * 0. Initialize the mode to the global trail so that if praudit(1) 585 * is run on /dev/auditpipe, it sees events associated with the 586 * default trail. Pipe-aware application can clear the flag, set 587 * custom masks, and flush the pipe as needed. 588 */ 589 bzero(&ap->ap_preselect_flags, sizeof(ap->ap_preselect_flags)); 590 bzero(&ap->ap_preselect_naflags, sizeof(ap->ap_preselect_naflags)); 591 TAILQ_INIT(&ap->ap_preselect_list); 592 ap->ap_preselect_mode = AUDITPIPE_PRESELECT_MODE_TRAIL; 593 594 /* 595 * Add to global list and update global statistics. 596 */ 597 AUDIT_PIPE_LIST_WLOCK(); 598 TAILQ_INSERT_HEAD(&audit_pipe_list, ap, ap_list); 599 audit_pipe_count++; 600 audit_pipe_ever++; 601 AUDIT_PIPE_LIST_WUNLOCK(); 602 603 return (ap); 604 } 605 606 /* 607 * Flush all records currently present in an audit pipe; assume mutex is held. 608 */ 609 static void 610 audit_pipe_flush(struct audit_pipe *ap) 611 { 612 struct audit_pipe_entry *ape; 613 614 AUDIT_PIPE_LOCK_ASSERT(ap); 615 616 while ((ape = TAILQ_FIRST(&ap->ap_queue)) != NULL) { 617 TAILQ_REMOVE(&ap->ap_queue, ape, ape_queue); 618 ap->ap_qbyteslen -= ape->ape_record_len; 619 audit_pipe_entry_free(ape); 620 ap->ap_qlen--; 621 } 622 ap->ap_qoffset = 0; 623 624 KASSERT(ap->ap_qlen == 0, ("audit_pipe_free: ap_qbyteslen")); 625 KASSERT(ap->ap_qbyteslen == 0, ("audit_pipe_flush: ap_qbyteslen")); 626 } 627 628 /* 629 * Free an audit pipe; this means freeing all preselection state and all 630 * records in the pipe. Assumes global write lock and pipe mutex are held to 631 * prevent any new records from being inserted during the free, and that the 632 * audit pipe is still on the global list. 633 */ 634 static void 635 audit_pipe_free(struct audit_pipe *ap) 636 { 637 638 AUDIT_PIPE_LIST_WLOCK_ASSERT(); 639 AUDIT_PIPE_LOCK_ASSERT(ap); 640 641 audit_pipe_preselect_flush_locked(ap); 642 audit_pipe_flush(ap); 643 cv_destroy(&ap->ap_cv); 644 AUDIT_PIPE_SX_LOCK_DESTROY(ap); 645 AUDIT_PIPE_LOCK_DESTROY(ap); 646 seldrain(&ap->ap_selinfo); 647 knlist_destroy(&ap->ap_selinfo.si_note); 648 TAILQ_REMOVE(&audit_pipe_list, ap, ap_list); 649 free(ap, M_AUDIT_PIPE); 650 audit_pipe_count--; 651 } 652 653 static void 654 audit_pipe_dtor(void *arg) 655 { 656 struct audit_pipe *ap; 657 658 ap = arg; 659 funsetown(&ap->ap_sigio); 660 AUDIT_PIPE_LIST_WLOCK(); 661 AUDIT_PIPE_LOCK(ap); 662 audit_pipe_free(ap); 663 AUDIT_PIPE_LIST_WUNLOCK(); 664 } 665 666 /* 667 * Audit pipe open method. Explicit privilege check isn't used as this 668 * allows file permissions on the special device to be used to grant audit 669 * review access. Those file permissions should be managed carefully. 670 */ 671 static int 672 audit_pipe_open(struct cdev *dev, int oflags, int devtype, struct thread *td) 673 { 674 struct audit_pipe *ap; 675 int error; 676 677 ap = audit_pipe_alloc(); 678 if (ap == NULL) 679 return (ENOMEM); 680 fsetown(td->td_proc->p_pid, &ap->ap_sigio); 681 error = devfs_set_cdevpriv(ap, audit_pipe_dtor); 682 if (error != 0) 683 audit_pipe_dtor(ap); 684 return (error); 685 } 686 687 /* 688 * Audit pipe ioctl() routine. Handle file descriptor and audit pipe layer 689 * commands. 690 */ 691 static int 692 audit_pipe_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag, 693 struct thread *td) 694 { 695 struct auditpipe_ioctl_preselect *aip; 696 struct audit_pipe *ap; 697 au_mask_t *maskp; 698 int error, mode; 699 au_id_t auid; 700 701 error = devfs_get_cdevpriv((void **)&ap); 702 if (error != 0) 703 return (error); 704 705 /* 706 * Audit pipe ioctls: first come standard device node ioctls, then 707 * manipulation of pipe settings, and finally, statistics query 708 * ioctls. 709 */ 710 switch (cmd) { 711 case FIONBIO: 712 AUDIT_PIPE_LOCK(ap); 713 if (*(int *)data) 714 ap->ap_flags |= AUDIT_PIPE_NBIO; 715 else 716 ap->ap_flags &= ~AUDIT_PIPE_NBIO; 717 AUDIT_PIPE_UNLOCK(ap); 718 error = 0; 719 break; 720 721 case FIONREAD: 722 AUDIT_PIPE_LOCK(ap); 723 *(int *)data = ap->ap_qbyteslen - ap->ap_qoffset; 724 AUDIT_PIPE_UNLOCK(ap); 725 error = 0; 726 break; 727 728 case FIOASYNC: 729 AUDIT_PIPE_LOCK(ap); 730 if (*(int *)data) 731 ap->ap_flags |= AUDIT_PIPE_ASYNC; 732 else 733 ap->ap_flags &= ~AUDIT_PIPE_ASYNC; 734 AUDIT_PIPE_UNLOCK(ap); 735 error = 0; 736 break; 737 738 case FIOSETOWN: 739 error = fsetown(*(int *)data, &ap->ap_sigio); 740 break; 741 742 case FIOGETOWN: 743 *(int *)data = fgetown(&ap->ap_sigio); 744 error = 0; 745 break; 746 747 case AUDITPIPE_GET_QLEN: 748 *(u_int *)data = ap->ap_qlen; 749 error = 0; 750 break; 751 752 case AUDITPIPE_GET_QLIMIT: 753 *(u_int *)data = ap->ap_qlimit; 754 error = 0; 755 break; 756 757 case AUDITPIPE_SET_QLIMIT: 758 /* Lockless integer write. */ 759 if (*(u_int *)data >= AUDIT_PIPE_QLIMIT_MIN || 760 *(u_int *)data <= AUDIT_PIPE_QLIMIT_MAX) { 761 ap->ap_qlimit = *(u_int *)data; 762 error = 0; 763 } else 764 error = EINVAL; 765 break; 766 767 case AUDITPIPE_GET_QLIMIT_MIN: 768 *(u_int *)data = AUDIT_PIPE_QLIMIT_MIN; 769 error = 0; 770 break; 771 772 case AUDITPIPE_GET_QLIMIT_MAX: 773 *(u_int *)data = AUDIT_PIPE_QLIMIT_MAX; 774 error = 0; 775 break; 776 777 case AUDITPIPE_GET_PRESELECT_FLAGS: 778 AUDIT_PIPE_LOCK(ap); 779 maskp = (au_mask_t *)data; 780 *maskp = ap->ap_preselect_flags; 781 AUDIT_PIPE_UNLOCK(ap); 782 error = 0; 783 break; 784 785 case AUDITPIPE_SET_PRESELECT_FLAGS: 786 AUDIT_PIPE_LOCK(ap); 787 maskp = (au_mask_t *)data; 788 ap->ap_preselect_flags = *maskp; 789 AUDIT_PIPE_UNLOCK(ap); 790 error = 0; 791 break; 792 793 case AUDITPIPE_GET_PRESELECT_NAFLAGS: 794 AUDIT_PIPE_LOCK(ap); 795 maskp = (au_mask_t *)data; 796 *maskp = ap->ap_preselect_naflags; 797 AUDIT_PIPE_UNLOCK(ap); 798 error = 0; 799 break; 800 801 case AUDITPIPE_SET_PRESELECT_NAFLAGS: 802 AUDIT_PIPE_LOCK(ap); 803 maskp = (au_mask_t *)data; 804 ap->ap_preselect_naflags = *maskp; 805 AUDIT_PIPE_UNLOCK(ap); 806 error = 0; 807 break; 808 809 case AUDITPIPE_GET_PRESELECT_AUID: 810 aip = (struct auditpipe_ioctl_preselect *)data; 811 error = audit_pipe_preselect_get(ap, aip->aip_auid, 812 &aip->aip_mask); 813 break; 814 815 case AUDITPIPE_SET_PRESELECT_AUID: 816 aip = (struct auditpipe_ioctl_preselect *)data; 817 audit_pipe_preselect_set(ap, aip->aip_auid, aip->aip_mask); 818 error = 0; 819 break; 820 821 case AUDITPIPE_DELETE_PRESELECT_AUID: 822 auid = *(au_id_t *)data; 823 error = audit_pipe_preselect_delete(ap, auid); 824 break; 825 826 case AUDITPIPE_FLUSH_PRESELECT_AUID: 827 audit_pipe_preselect_flush(ap); 828 error = 0; 829 break; 830 831 case AUDITPIPE_GET_PRESELECT_MODE: 832 AUDIT_PIPE_LOCK(ap); 833 *(int *)data = ap->ap_preselect_mode; 834 AUDIT_PIPE_UNLOCK(ap); 835 error = 0; 836 break; 837 838 case AUDITPIPE_SET_PRESELECT_MODE: 839 mode = *(int *)data; 840 switch (mode) { 841 case AUDITPIPE_PRESELECT_MODE_TRAIL: 842 case AUDITPIPE_PRESELECT_MODE_LOCAL: 843 AUDIT_PIPE_LOCK(ap); 844 ap->ap_preselect_mode = mode; 845 AUDIT_PIPE_UNLOCK(ap); 846 error = 0; 847 break; 848 849 default: 850 error = EINVAL; 851 } 852 break; 853 854 case AUDITPIPE_FLUSH: 855 if (AUDIT_PIPE_SX_XLOCK_SIG(ap) != 0) 856 return (EINTR); 857 AUDIT_PIPE_LOCK(ap); 858 audit_pipe_flush(ap); 859 AUDIT_PIPE_UNLOCK(ap); 860 AUDIT_PIPE_SX_XUNLOCK(ap); 861 error = 0; 862 break; 863 864 case AUDITPIPE_GET_MAXAUDITDATA: 865 *(u_int *)data = MAXAUDITDATA; 866 error = 0; 867 break; 868 869 case AUDITPIPE_GET_INSERTS: 870 *(u_int *)data = ap->ap_inserts; 871 error = 0; 872 break; 873 874 case AUDITPIPE_GET_READS: 875 *(u_int *)data = ap->ap_reads; 876 error = 0; 877 break; 878 879 case AUDITPIPE_GET_DROPS: 880 *(u_int *)data = ap->ap_drops; 881 error = 0; 882 break; 883 884 case AUDITPIPE_GET_TRUNCATES: 885 *(u_int *)data = 0; 886 error = 0; 887 break; 888 889 default: 890 error = ENOTTY; 891 } 892 return (error); 893 } 894 895 /* 896 * Audit pipe read. Read one or more partial or complete records to user 897 * memory. 898 */ 899 static int 900 audit_pipe_read(struct cdev *dev, struct uio *uio, int flag) 901 { 902 struct audit_pipe_entry *ape; 903 struct audit_pipe *ap; 904 u_int toread; 905 int error; 906 907 error = devfs_get_cdevpriv((void **)&ap); 908 if (error != 0) 909 return (error); 910 911 /* 912 * We hold an sx(9) lock over read and flush because we rely on the 913 * stability of a record in the queue during uiomove(9). 914 */ 915 if (AUDIT_PIPE_SX_XLOCK_SIG(ap) != 0) 916 return (EINTR); 917 AUDIT_PIPE_LOCK(ap); 918 while (TAILQ_EMPTY(&ap->ap_queue)) { 919 if (ap->ap_flags & AUDIT_PIPE_NBIO) { 920 AUDIT_PIPE_UNLOCK(ap); 921 AUDIT_PIPE_SX_XUNLOCK(ap); 922 return (EAGAIN); 923 } 924 error = cv_wait_sig(&ap->ap_cv, AUDIT_PIPE_MTX(ap)); 925 if (error) { 926 AUDIT_PIPE_UNLOCK(ap); 927 AUDIT_PIPE_SX_XUNLOCK(ap); 928 return (error); 929 } 930 } 931 932 /* 933 * Copy as many remaining bytes from the current record to userspace 934 * as we can. Keep processing records until we run out of records in 935 * the queue, or until the user buffer runs out of space. 936 * 937 * Note: we rely on the SX lock to maintain ape's stability here. 938 */ 939 ap->ap_reads++; 940 while ((ape = TAILQ_FIRST(&ap->ap_queue)) != NULL && 941 uio->uio_resid > 0) { 942 AUDIT_PIPE_LOCK_ASSERT(ap); 943 944 KASSERT(ape->ape_record_len > ap->ap_qoffset, 945 ("audit_pipe_read: record_len > qoffset (1)")); 946 toread = MIN(ape->ape_record_len - ap->ap_qoffset, 947 uio->uio_resid); 948 AUDIT_PIPE_UNLOCK(ap); 949 error = uiomove((char *)ape->ape_record + ap->ap_qoffset, 950 toread, uio); 951 if (error) { 952 AUDIT_PIPE_SX_XUNLOCK(ap); 953 return (error); 954 } 955 956 /* 957 * If the copy succeeded, update book-keeping, and if no 958 * bytes remain in the current record, free it. 959 */ 960 AUDIT_PIPE_LOCK(ap); 961 KASSERT(TAILQ_FIRST(&ap->ap_queue) == ape, 962 ("audit_pipe_read: queue out of sync after uiomove")); 963 ap->ap_qoffset += toread; 964 KASSERT(ape->ape_record_len >= ap->ap_qoffset, 965 ("audit_pipe_read: record_len >= qoffset (2)")); 966 if (ap->ap_qoffset == ape->ape_record_len) { 967 TAILQ_REMOVE(&ap->ap_queue, ape, ape_queue); 968 ap->ap_qbyteslen -= ape->ape_record_len; 969 audit_pipe_entry_free(ape); 970 ap->ap_qlen--; 971 ap->ap_qoffset = 0; 972 } 973 } 974 AUDIT_PIPE_UNLOCK(ap); 975 AUDIT_PIPE_SX_XUNLOCK(ap); 976 return (0); 977 } 978 979 /* 980 * Audit pipe poll. 981 */ 982 static int 983 audit_pipe_poll(struct cdev *dev, int events, struct thread *td) 984 { 985 struct audit_pipe *ap; 986 int error, revents; 987 988 revents = 0; 989 error = devfs_get_cdevpriv((void **)&ap); 990 if (error != 0) 991 return (error); 992 if (events & (POLLIN | POLLRDNORM)) { 993 AUDIT_PIPE_LOCK(ap); 994 if (TAILQ_FIRST(&ap->ap_queue) != NULL) 995 revents |= events & (POLLIN | POLLRDNORM); 996 else 997 selrecord(td, &ap->ap_selinfo); 998 AUDIT_PIPE_UNLOCK(ap); 999 } 1000 return (revents); 1001 } 1002 1003 /* 1004 * Audit pipe kqfilter. 1005 */ 1006 static int 1007 audit_pipe_kqfilter(struct cdev *dev, struct knote *kn) 1008 { 1009 struct audit_pipe *ap; 1010 int error; 1011 1012 error = devfs_get_cdevpriv((void **)&ap); 1013 if (error != 0) 1014 return (error); 1015 if (kn->kn_filter != EVFILT_READ) 1016 return (EINVAL); 1017 1018 kn->kn_fop = &audit_pipe_read_filterops; 1019 kn->kn_hook = ap; 1020 1021 AUDIT_PIPE_LOCK(ap); 1022 knlist_add(&ap->ap_selinfo.si_note, kn, 1); 1023 AUDIT_PIPE_UNLOCK(ap); 1024 return (0); 1025 } 1026 1027 /* 1028 * Return true if there are records available for reading on the pipe. 1029 */ 1030 static int 1031 audit_pipe_kqread(struct knote *kn, long hint) 1032 { 1033 struct audit_pipe *ap; 1034 1035 ap = (struct audit_pipe *)kn->kn_hook; 1036 AUDIT_PIPE_LOCK_ASSERT(ap); 1037 1038 if (ap->ap_qlen != 0) { 1039 kn->kn_data = ap->ap_qbyteslen - ap->ap_qoffset; 1040 return (1); 1041 } else { 1042 kn->kn_data = 0; 1043 return (0); 1044 } 1045 } 1046 1047 /* 1048 * Detach kqueue state from audit pipe. 1049 */ 1050 static void 1051 audit_pipe_kqdetach(struct knote *kn) 1052 { 1053 struct audit_pipe *ap; 1054 1055 ap = (struct audit_pipe *)kn->kn_hook; 1056 AUDIT_PIPE_LOCK(ap); 1057 knlist_remove(&ap->ap_selinfo.si_note, kn, 1); 1058 AUDIT_PIPE_UNLOCK(ap); 1059 } 1060 1061 /* 1062 * Initialize the audit pipe system. 1063 */ 1064 static void 1065 audit_pipe_init(void *unused) 1066 { 1067 1068 TAILQ_INIT(&audit_pipe_list); 1069 AUDIT_PIPE_LIST_LOCK_INIT(); 1070 audit_pipe_dev = make_dev(&audit_pipe_cdevsw, 0, UID_ROOT, 1071 GID_WHEEL, 0600, "%s", AUDIT_PIPE_NAME); 1072 if (audit_pipe_dev == NULL) { 1073 AUDIT_PIPE_LIST_LOCK_DESTROY(); 1074 panic("Can't initialize audit pipe subsystem"); 1075 } 1076 } 1077 1078 SYSINIT(audit_pipe_init, SI_SUB_DRIVERS, SI_ORDER_MIDDLE, audit_pipe_init, 1079 NULL); 1080