1 /*- 2 * Copyright (c) 2006 Robert N. M. Watson 3 * Copyright (c) 2008-2009 Apple, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 */ 29 30 #include <sys/param.h> 31 #include <sys/condvar.h> 32 #include <sys/conf.h> 33 #include <sys/eventhandler.h> 34 #include <sys/filio.h> 35 #include <sys/kernel.h> 36 #include <sys/lock.h> 37 #include <sys/malloc.h> 38 #include <sys/mutex.h> 39 #include <sys/poll.h> 40 #include <sys/proc.h> 41 #include <sys/queue.h> 42 #include <sys/rwlock.h> 43 #include <sys/selinfo.h> 44 #include <sys/sigio.h> 45 #include <sys/signal.h> 46 #include <sys/signalvar.h> 47 #include <sys/sx.h> 48 #include <sys/systm.h> 49 #include <sys/uio.h> 50 51 #include <security/audit/audit.h> 52 #include <security/audit/audit_ioctl.h> 53 #include <security/audit/audit_private.h> 54 55 /* 56 * Implementation of a clonable special device providing a live stream of BSM 57 * audit data. Consumers receive a "tee" of the system audit trail by 58 * default, but may also define alternative event selections using ioctls. 59 * This interface provides unreliable but timely access to audit events. 60 * Consumers should be very careful to avoid introducing event cycles. 61 */ 62 63 /* 64 * Memory types. 65 */ 66 static MALLOC_DEFINE(M_AUDIT_PIPE, "audit_pipe", "Audit pipes"); 67 static MALLOC_DEFINE(M_AUDIT_PIPE_ENTRY, "audit_pipeent", 68 "Audit pipe entries and buffers"); 69 static MALLOC_DEFINE(M_AUDIT_PIPE_PRESELECT, "audit_pipe_presel", 70 "Audit pipe preselection structure"); 71 72 /* 73 * Audit pipe buffer parameters. 74 */ 75 #define AUDIT_PIPE_QLIMIT_DEFAULT (128) 76 #define AUDIT_PIPE_QLIMIT_MIN (1) 77 #define AUDIT_PIPE_QLIMIT_MAX (1024) 78 79 /* 80 * Description of an entry in an audit_pipe. 81 */ 82 struct audit_pipe_entry { 83 void *ape_record; 84 u_int ape_record_len; 85 TAILQ_ENTRY(audit_pipe_entry) ape_queue; 86 }; 87 88 /* 89 * Audit pipes allow processes to express "interest" in the set of records 90 * that are delivered via the pipe. They do this in a similar manner to the 91 * mechanism for audit trail configuration, by expressing two global masks, 92 * and optionally expressing per-auid masks. The following data structure is 93 * the per-auid mask description. The global state is stored in the audit 94 * pipe data structure. 95 * 96 * We may want to consider a more space/time-efficient data structure once 97 * usage patterns for per-auid specifications are clear. 98 */ 99 struct audit_pipe_preselect { 100 au_id_t app_auid; 101 au_mask_t app_mask; 102 TAILQ_ENTRY(audit_pipe_preselect) app_list; 103 }; 104 105 /* 106 * Description of an individual audit_pipe. Consists largely of a bounded 107 * length queue. 108 */ 109 #define AUDIT_PIPE_ASYNC 0x00000001 110 #define AUDIT_PIPE_NBIO 0x00000002 111 struct audit_pipe { 112 u_int ap_flags; 113 114 struct selinfo ap_selinfo; 115 struct sigio *ap_sigio; 116 117 /* 118 * Per-pipe mutex protecting most fields in this data structure. 119 */ 120 struct mtx ap_mtx; 121 122 /* 123 * Per-pipe sleep lock serializing user-generated reads and flushes. 124 * uiomove() is called to copy out the current head record's data 125 * while the record remains in the queue, so we prevent other threads 126 * from removing it using this lock. 127 */ 128 struct sx ap_sx; 129 130 /* 131 * Condition variable to signal when data has been delivered to a 132 * pipe. 133 */ 134 struct cv ap_cv; 135 136 /* 137 * Various queue-reated variables: qlen and qlimit are a count of 138 * records in the queue; qbyteslen is the number of bytes of data 139 * across all records, and qoffset is the amount read so far of the 140 * first record in the queue. The number of bytes available for 141 * reading in the queue is qbyteslen - qoffset. 142 */ 143 u_int ap_qlen; 144 u_int ap_qlimit; 145 u_int ap_qbyteslen; 146 u_int ap_qoffset; 147 148 /* 149 * Per-pipe operation statistics. 150 */ 151 u_int64_t ap_inserts; /* Records added. */ 152 u_int64_t ap_reads; /* Records read. */ 153 u_int64_t ap_drops; /* Records dropped. */ 154 155 /* 156 * Fields relating to pipe interest: global masks for unmatched 157 * processes (attributable, non-attributable), and a list of specific 158 * interest specifications by auid. 159 */ 160 int ap_preselect_mode; 161 au_mask_t ap_preselect_flags; 162 au_mask_t ap_preselect_naflags; 163 TAILQ_HEAD(, audit_pipe_preselect) ap_preselect_list; 164 165 /* 166 * Current pending record list. Protected by a combination of ap_mtx 167 * and ap_sx. Note particularly that *both* locks are required to 168 * remove a record from the head of the queue, as an in-progress read 169 * may sleep while copying and therefore cannot hold ap_mtx. 170 */ 171 TAILQ_HEAD(, audit_pipe_entry) ap_queue; 172 173 /* 174 * Global pipe list. 175 */ 176 TAILQ_ENTRY(audit_pipe) ap_list; 177 }; 178 179 #define AUDIT_PIPE_LOCK(ap) mtx_lock(&(ap)->ap_mtx) 180 #define AUDIT_PIPE_LOCK_ASSERT(ap) mtx_assert(&(ap)->ap_mtx, MA_OWNED) 181 #define AUDIT_PIPE_LOCK_DESTROY(ap) mtx_destroy(&(ap)->ap_mtx) 182 #define AUDIT_PIPE_LOCK_INIT(ap) mtx_init(&(ap)->ap_mtx, \ 183 "audit_pipe_mtx", NULL, MTX_DEF) 184 #define AUDIT_PIPE_UNLOCK(ap) mtx_unlock(&(ap)->ap_mtx) 185 #define AUDIT_PIPE_MTX(ap) (&(ap)->ap_mtx) 186 187 #define AUDIT_PIPE_SX_LOCK_DESTROY(ap) sx_destroy(&(ap)->ap_sx) 188 #define AUDIT_PIPE_SX_LOCK_INIT(ap) sx_init(&(ap)->ap_sx, "audit_pipe_sx") 189 #define AUDIT_PIPE_SX_XLOCK_ASSERT(ap) sx_assert(&(ap)->ap_sx, SA_XLOCKED) 190 #define AUDIT_PIPE_SX_XLOCK_SIG(ap) sx_xlock_sig(&(ap)->ap_sx) 191 #define AUDIT_PIPE_SX_XUNLOCK(ap) sx_xunlock(&(ap)->ap_sx) 192 193 /* 194 * Global list of audit pipes, rwlock to protect it. Individual record 195 * queues on pipes are protected by per-pipe locks; these locks synchronize 196 * between threads walking the list to deliver to individual pipes and add/ 197 * remove of pipes, and are mostly acquired for read. 198 */ 199 static TAILQ_HEAD(, audit_pipe) audit_pipe_list; 200 static struct rwlock audit_pipe_lock; 201 202 #define AUDIT_PIPE_LIST_LOCK_INIT() rw_init(&audit_pipe_lock, \ 203 "audit_pipe_list_lock") 204 #define AUDIT_PIPE_LIST_LOCK_DESTROY() rw_destroy(&audit_pipe_lock) 205 #define AUDIT_PIPE_LIST_RLOCK() rw_rlock(&audit_pipe_lock) 206 #define AUDIT_PIPE_LIST_RUNLOCK() rw_runlock(&audit_pipe_lock) 207 #define AUDIT_PIPE_LIST_WLOCK() rw_wlock(&audit_pipe_lock) 208 #define AUDIT_PIPE_LIST_WLOCK_ASSERT() rw_assert(&audit_pipe_lock, \ 209 RA_WLOCKED) 210 #define AUDIT_PIPE_LIST_WUNLOCK() rw_wunlock(&audit_pipe_lock) 211 212 /* 213 * Audit pipe device. 214 */ 215 static struct cdev *audit_pipe_dev; 216 217 #define AUDIT_PIPE_NAME "auditpipe" 218 219 /* 220 * Special device methods and definition. 221 */ 222 static d_open_t audit_pipe_open; 223 static d_read_t audit_pipe_read; 224 static d_ioctl_t audit_pipe_ioctl; 225 static d_poll_t audit_pipe_poll; 226 static d_kqfilter_t audit_pipe_kqfilter; 227 228 static struct cdevsw audit_pipe_cdevsw = { 229 .d_version = D_VERSION, 230 .d_open = audit_pipe_open, 231 .d_read = audit_pipe_read, 232 .d_ioctl = audit_pipe_ioctl, 233 .d_poll = audit_pipe_poll, 234 .d_kqfilter = audit_pipe_kqfilter, 235 .d_name = AUDIT_PIPE_NAME, 236 }; 237 238 static int audit_pipe_kqread(struct knote *note, long hint); 239 static void audit_pipe_kqdetach(struct knote *note); 240 241 static struct filterops audit_pipe_read_filterops = { 242 .f_isfd = 1, 243 .f_attach = NULL, 244 .f_detach = audit_pipe_kqdetach, 245 .f_event = audit_pipe_kqread, 246 }; 247 248 /* 249 * Some global statistics on audit pipes. 250 */ 251 static int audit_pipe_count; /* Current number of pipes. */ 252 static u_int64_t audit_pipe_ever; /* Pipes ever allocated. */ 253 static u_int64_t audit_pipe_records; /* Records seen. */ 254 static u_int64_t audit_pipe_drops; /* Global record drop count. */ 255 256 /* 257 * Free an audit pipe entry. 258 */ 259 static void 260 audit_pipe_entry_free(struct audit_pipe_entry *ape) 261 { 262 263 free(ape->ape_record, M_AUDIT_PIPE_ENTRY); 264 free(ape, M_AUDIT_PIPE_ENTRY); 265 } 266 267 /* 268 * Find an audit pipe preselection specification for an auid, if any. 269 */ 270 static struct audit_pipe_preselect * 271 audit_pipe_preselect_find(struct audit_pipe *ap, au_id_t auid) 272 { 273 struct audit_pipe_preselect *app; 274 275 AUDIT_PIPE_LOCK_ASSERT(ap); 276 277 TAILQ_FOREACH(app, &ap->ap_preselect_list, app_list) { 278 if (app->app_auid == auid) 279 return (app); 280 } 281 return (NULL); 282 } 283 284 /* 285 * Query the per-pipe mask for a specific auid. 286 */ 287 static int 288 audit_pipe_preselect_get(struct audit_pipe *ap, au_id_t auid, 289 au_mask_t *maskp) 290 { 291 struct audit_pipe_preselect *app; 292 int error; 293 294 AUDIT_PIPE_LOCK(ap); 295 app = audit_pipe_preselect_find(ap, auid); 296 if (app != NULL) { 297 *maskp = app->app_mask; 298 error = 0; 299 } else 300 error = ENOENT; 301 AUDIT_PIPE_UNLOCK(ap); 302 return (error); 303 } 304 305 /* 306 * Set the per-pipe mask for a specific auid. Add a new entry if needed; 307 * otherwise, update the current entry. 308 */ 309 static void 310 audit_pipe_preselect_set(struct audit_pipe *ap, au_id_t auid, au_mask_t mask) 311 { 312 struct audit_pipe_preselect *app, *app_new; 313 314 /* 315 * Pessimistically assume that the auid doesn't already have a mask 316 * set, and allocate. We will free it if it is unneeded. 317 */ 318 app_new = malloc(sizeof(*app_new), M_AUDIT_PIPE_PRESELECT, M_WAITOK); 319 AUDIT_PIPE_LOCK(ap); 320 app = audit_pipe_preselect_find(ap, auid); 321 if (app == NULL) { 322 app = app_new; 323 app_new = NULL; 324 app->app_auid = auid; 325 TAILQ_INSERT_TAIL(&ap->ap_preselect_list, app, app_list); 326 } 327 app->app_mask = mask; 328 AUDIT_PIPE_UNLOCK(ap); 329 if (app_new != NULL) 330 free(app_new, M_AUDIT_PIPE_PRESELECT); 331 } 332 333 /* 334 * Delete a per-auid mask on an audit pipe. 335 */ 336 static int 337 audit_pipe_preselect_delete(struct audit_pipe *ap, au_id_t auid) 338 { 339 struct audit_pipe_preselect *app; 340 int error; 341 342 AUDIT_PIPE_LOCK(ap); 343 app = audit_pipe_preselect_find(ap, auid); 344 if (app != NULL) { 345 TAILQ_REMOVE(&ap->ap_preselect_list, app, app_list); 346 error = 0; 347 } else 348 error = ENOENT; 349 AUDIT_PIPE_UNLOCK(ap); 350 if (app != NULL) 351 free(app, M_AUDIT_PIPE_PRESELECT); 352 return (error); 353 } 354 355 /* 356 * Delete all per-auid masks on an audit pipe. 357 */ 358 static void 359 audit_pipe_preselect_flush_locked(struct audit_pipe *ap) 360 { 361 struct audit_pipe_preselect *app; 362 363 AUDIT_PIPE_LOCK_ASSERT(ap); 364 365 while ((app = TAILQ_FIRST(&ap->ap_preselect_list)) != NULL) { 366 TAILQ_REMOVE(&ap->ap_preselect_list, app, app_list); 367 free(app, M_AUDIT_PIPE_PRESELECT); 368 } 369 } 370 371 static void 372 audit_pipe_preselect_flush(struct audit_pipe *ap) 373 { 374 375 AUDIT_PIPE_LOCK(ap); 376 audit_pipe_preselect_flush_locked(ap); 377 AUDIT_PIPE_UNLOCK(ap); 378 } 379 380 /*- 381 * Determine whether a specific audit pipe matches a record with these 382 * properties. Algorithm is as follows: 383 * 384 * - If the pipe is configured to track the default trail configuration, then 385 * use the results of global preselection matching. 386 * - If not, search for a specifically configured auid entry matching the 387 * event. If an entry is found, use that. 388 * - Otherwise, use the default flags or naflags configured for the pipe. 389 */ 390 static int 391 audit_pipe_preselect_check(struct audit_pipe *ap, au_id_t auid, 392 au_event_t event, au_class_t class, int sorf, int trail_preselect) 393 { 394 struct audit_pipe_preselect *app; 395 396 AUDIT_PIPE_LOCK_ASSERT(ap); 397 398 switch (ap->ap_preselect_mode) { 399 case AUDITPIPE_PRESELECT_MODE_TRAIL: 400 return (trail_preselect); 401 402 case AUDITPIPE_PRESELECT_MODE_LOCAL: 403 app = audit_pipe_preselect_find(ap, auid); 404 if (app == NULL) { 405 if (auid == AU_DEFAUDITID) 406 return (au_preselect(event, class, 407 &ap->ap_preselect_naflags, sorf)); 408 else 409 return (au_preselect(event, class, 410 &ap->ap_preselect_flags, sorf)); 411 } else 412 return (au_preselect(event, class, &app->app_mask, 413 sorf)); 414 415 default: 416 panic("audit_pipe_preselect_check: mode %d", 417 ap->ap_preselect_mode); 418 } 419 420 return (0); 421 } 422 423 /* 424 * Determine whether there exists a pipe interested in a record with specific 425 * properties. 426 */ 427 int 428 audit_pipe_preselect(au_id_t auid, au_event_t event, au_class_t class, 429 int sorf, int trail_preselect) 430 { 431 struct audit_pipe *ap; 432 433 /* Lockless read to avoid acquiring the global lock if not needed. */ 434 if (TAILQ_EMPTY(&audit_pipe_list)) 435 return (0); 436 437 AUDIT_PIPE_LIST_RLOCK(); 438 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) { 439 AUDIT_PIPE_LOCK(ap); 440 if (audit_pipe_preselect_check(ap, auid, event, class, sorf, 441 trail_preselect)) { 442 AUDIT_PIPE_UNLOCK(ap); 443 AUDIT_PIPE_LIST_RUNLOCK(); 444 return (1); 445 } 446 AUDIT_PIPE_UNLOCK(ap); 447 } 448 AUDIT_PIPE_LIST_RUNLOCK(); 449 return (0); 450 } 451 452 /* 453 * Append individual record to a queue -- allocate queue-local buffer, and 454 * add to the queue. If the queue is full or we can't allocate memory, drop 455 * the newest record. 456 */ 457 static void 458 audit_pipe_append(struct audit_pipe *ap, void *record, u_int record_len) 459 { 460 struct audit_pipe_entry *ape; 461 462 AUDIT_PIPE_LOCK_ASSERT(ap); 463 464 if (ap->ap_qlen >= ap->ap_qlimit) { 465 ap->ap_drops++; 466 audit_pipe_drops++; 467 return; 468 } 469 470 ape = malloc(sizeof(*ape), M_AUDIT_PIPE_ENTRY, M_NOWAIT | M_ZERO); 471 if (ape == NULL) { 472 ap->ap_drops++; 473 audit_pipe_drops++; 474 return; 475 } 476 477 ape->ape_record = malloc(record_len, M_AUDIT_PIPE_ENTRY, M_NOWAIT); 478 if (ape->ape_record == NULL) { 479 free(ape, M_AUDIT_PIPE_ENTRY); 480 ap->ap_drops++; 481 audit_pipe_drops++; 482 return; 483 } 484 485 bcopy(record, ape->ape_record, record_len); 486 ape->ape_record_len = record_len; 487 488 TAILQ_INSERT_TAIL(&ap->ap_queue, ape, ape_queue); 489 ap->ap_inserts++; 490 ap->ap_qlen++; 491 ap->ap_qbyteslen += ape->ape_record_len; 492 selwakeuppri(&ap->ap_selinfo, PSOCK); 493 KNOTE_LOCKED(&ap->ap_selinfo.si_note, 0); 494 if (ap->ap_flags & AUDIT_PIPE_ASYNC) 495 pgsigio(&ap->ap_sigio, SIGIO, 0); 496 cv_broadcast(&ap->ap_cv); 497 } 498 499 /* 500 * audit_pipe_submit(): audit_worker submits audit records via this 501 * interface, which arranges for them to be delivered to pipe queues. 502 */ 503 void 504 audit_pipe_submit(au_id_t auid, au_event_t event, au_class_t class, int sorf, 505 int trail_select, void *record, u_int record_len) 506 { 507 struct audit_pipe *ap; 508 509 /* 510 * Lockless read to avoid lock overhead if pipes are not in use. 511 */ 512 if (TAILQ_FIRST(&audit_pipe_list) == NULL) 513 return; 514 515 AUDIT_PIPE_LIST_RLOCK(); 516 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) { 517 AUDIT_PIPE_LOCK(ap); 518 if (audit_pipe_preselect_check(ap, auid, event, class, sorf, 519 trail_select)) 520 audit_pipe_append(ap, record, record_len); 521 AUDIT_PIPE_UNLOCK(ap); 522 } 523 AUDIT_PIPE_LIST_RUNLOCK(); 524 525 /* Unlocked increment. */ 526 audit_pipe_records++; 527 } 528 529 /* 530 * audit_pipe_submit_user(): the same as audit_pipe_submit(), except that 531 * since we don't currently have selection information available, it is 532 * delivered to the pipe unconditionally. 533 * 534 * XXXRW: This is a bug. The BSM check routine for submitting a user record 535 * should parse that information and return it. 536 */ 537 void 538 audit_pipe_submit_user(void *record, u_int record_len) 539 { 540 struct audit_pipe *ap; 541 542 /* 543 * Lockless read to avoid lock overhead if pipes are not in use. 544 */ 545 if (TAILQ_FIRST(&audit_pipe_list) == NULL) 546 return; 547 548 AUDIT_PIPE_LIST_RLOCK(); 549 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) { 550 AUDIT_PIPE_LOCK(ap); 551 audit_pipe_append(ap, record, record_len); 552 AUDIT_PIPE_UNLOCK(ap); 553 } 554 AUDIT_PIPE_LIST_RUNLOCK(); 555 556 /* Unlocked increment. */ 557 audit_pipe_records++; 558 } 559 560 /* 561 * Allocate a new audit pipe. Connects the pipe, on success, to the global 562 * list and updates statistics. 563 */ 564 static struct audit_pipe * 565 audit_pipe_alloc(void) 566 { 567 struct audit_pipe *ap; 568 569 ap = malloc(sizeof(*ap), M_AUDIT_PIPE, M_NOWAIT | M_ZERO); 570 if (ap == NULL) 571 return (NULL); 572 ap->ap_qlimit = AUDIT_PIPE_QLIMIT_DEFAULT; 573 TAILQ_INIT(&ap->ap_queue); 574 knlist_init_mtx(&ap->ap_selinfo.si_note, AUDIT_PIPE_MTX(ap)); 575 AUDIT_PIPE_LOCK_INIT(ap); 576 AUDIT_PIPE_SX_LOCK_INIT(ap); 577 cv_init(&ap->ap_cv, "audit_pipe"); 578 579 /* 580 * Default flags, naflags, and auid-specific preselection settings to 581 * 0. Initialize the mode to the global trail so that if praudit(1) 582 * is run on /dev/auditpipe, it sees events associated with the 583 * default trail. Pipe-aware application can clear the flag, set 584 * custom masks, and flush the pipe as needed. 585 */ 586 bzero(&ap->ap_preselect_flags, sizeof(ap->ap_preselect_flags)); 587 bzero(&ap->ap_preselect_naflags, sizeof(ap->ap_preselect_naflags)); 588 TAILQ_INIT(&ap->ap_preselect_list); 589 ap->ap_preselect_mode = AUDITPIPE_PRESELECT_MODE_TRAIL; 590 591 /* 592 * Add to global list and update global statistics. 593 */ 594 AUDIT_PIPE_LIST_WLOCK(); 595 TAILQ_INSERT_HEAD(&audit_pipe_list, ap, ap_list); 596 audit_pipe_count++; 597 audit_pipe_ever++; 598 AUDIT_PIPE_LIST_WUNLOCK(); 599 600 return (ap); 601 } 602 603 /* 604 * Flush all records currently present in an audit pipe; assume mutex is held. 605 */ 606 static void 607 audit_pipe_flush(struct audit_pipe *ap) 608 { 609 struct audit_pipe_entry *ape; 610 611 AUDIT_PIPE_LOCK_ASSERT(ap); 612 613 while ((ape = TAILQ_FIRST(&ap->ap_queue)) != NULL) { 614 TAILQ_REMOVE(&ap->ap_queue, ape, ape_queue); 615 ap->ap_qbyteslen -= ape->ape_record_len; 616 audit_pipe_entry_free(ape); 617 ap->ap_qlen--; 618 } 619 ap->ap_qoffset = 0; 620 621 KASSERT(ap->ap_qlen == 0, ("audit_pipe_free: ap_qbyteslen")); 622 KASSERT(ap->ap_qbyteslen == 0, ("audit_pipe_flush: ap_qbyteslen")); 623 } 624 625 /* 626 * Free an audit pipe; this means freeing all preselection state and all 627 * records in the pipe. Assumes global write lock and pipe mutex are held to 628 * prevent any new records from being inserted during the free, and that the 629 * audit pipe is still on the global list. 630 */ 631 static void 632 audit_pipe_free(struct audit_pipe *ap) 633 { 634 635 AUDIT_PIPE_LIST_WLOCK_ASSERT(); 636 AUDIT_PIPE_LOCK_ASSERT(ap); 637 638 audit_pipe_preselect_flush_locked(ap); 639 audit_pipe_flush(ap); 640 cv_destroy(&ap->ap_cv); 641 AUDIT_PIPE_SX_LOCK_DESTROY(ap); 642 AUDIT_PIPE_LOCK_DESTROY(ap); 643 seldrain(&ap->ap_selinfo); 644 knlist_destroy(&ap->ap_selinfo.si_note); 645 TAILQ_REMOVE(&audit_pipe_list, ap, ap_list); 646 free(ap, M_AUDIT_PIPE); 647 audit_pipe_count--; 648 } 649 650 static void 651 audit_pipe_dtor(void *arg) 652 { 653 struct audit_pipe *ap; 654 655 ap = arg; 656 funsetown(&ap->ap_sigio); 657 AUDIT_PIPE_LIST_WLOCK(); 658 AUDIT_PIPE_LOCK(ap); 659 audit_pipe_free(ap); 660 AUDIT_PIPE_LIST_WUNLOCK(); 661 } 662 663 /* 664 * Audit pipe open method. Explicit privilege check isn't used as this 665 * allows file permissions on the special device to be used to grant audit 666 * review access. Those file permissions should be managed carefully. 667 */ 668 static int 669 audit_pipe_open(struct cdev *dev, int oflags, int devtype, struct thread *td) 670 { 671 struct audit_pipe *ap; 672 int error; 673 674 ap = audit_pipe_alloc(); 675 if (ap == NULL) 676 return (ENOMEM); 677 fsetown(td->td_proc->p_pid, &ap->ap_sigio); 678 error = devfs_set_cdevpriv(ap, audit_pipe_dtor); 679 if (error != 0) 680 audit_pipe_dtor(ap); 681 return (error); 682 } 683 684 /* 685 * Audit pipe ioctl() routine. Handle file descriptor and audit pipe layer 686 * commands. 687 */ 688 static int 689 audit_pipe_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag, 690 struct thread *td) 691 { 692 struct auditpipe_ioctl_preselect *aip; 693 struct audit_pipe *ap; 694 au_mask_t *maskp; 695 int error, mode; 696 au_id_t auid; 697 698 error = devfs_get_cdevpriv((void **)&ap); 699 if (error != 0) 700 return (error); 701 702 /* 703 * Audit pipe ioctls: first come standard device node ioctls, then 704 * manipulation of pipe settings, and finally, statistics query 705 * ioctls. 706 */ 707 switch (cmd) { 708 case FIONBIO: 709 AUDIT_PIPE_LOCK(ap); 710 if (*(int *)data) 711 ap->ap_flags |= AUDIT_PIPE_NBIO; 712 else 713 ap->ap_flags &= ~AUDIT_PIPE_NBIO; 714 AUDIT_PIPE_UNLOCK(ap); 715 error = 0; 716 break; 717 718 case FIONREAD: 719 AUDIT_PIPE_LOCK(ap); 720 *(int *)data = ap->ap_qbyteslen - ap->ap_qoffset; 721 AUDIT_PIPE_UNLOCK(ap); 722 error = 0; 723 break; 724 725 case FIOASYNC: 726 AUDIT_PIPE_LOCK(ap); 727 if (*(int *)data) 728 ap->ap_flags |= AUDIT_PIPE_ASYNC; 729 else 730 ap->ap_flags &= ~AUDIT_PIPE_ASYNC; 731 AUDIT_PIPE_UNLOCK(ap); 732 error = 0; 733 break; 734 735 case FIOSETOWN: 736 error = fsetown(*(int *)data, &ap->ap_sigio); 737 break; 738 739 case FIOGETOWN: 740 *(int *)data = fgetown(&ap->ap_sigio); 741 error = 0; 742 break; 743 744 case AUDITPIPE_GET_QLEN: 745 *(u_int *)data = ap->ap_qlen; 746 error = 0; 747 break; 748 749 case AUDITPIPE_GET_QLIMIT: 750 *(u_int *)data = ap->ap_qlimit; 751 error = 0; 752 break; 753 754 case AUDITPIPE_SET_QLIMIT: 755 /* Lockless integer write. */ 756 if (*(u_int *)data >= AUDIT_PIPE_QLIMIT_MIN && 757 *(u_int *)data <= AUDIT_PIPE_QLIMIT_MAX) { 758 ap->ap_qlimit = *(u_int *)data; 759 error = 0; 760 } else 761 error = EINVAL; 762 break; 763 764 case AUDITPIPE_GET_QLIMIT_MIN: 765 *(u_int *)data = AUDIT_PIPE_QLIMIT_MIN; 766 error = 0; 767 break; 768 769 case AUDITPIPE_GET_QLIMIT_MAX: 770 *(u_int *)data = AUDIT_PIPE_QLIMIT_MAX; 771 error = 0; 772 break; 773 774 case AUDITPIPE_GET_PRESELECT_FLAGS: 775 AUDIT_PIPE_LOCK(ap); 776 maskp = (au_mask_t *)data; 777 *maskp = ap->ap_preselect_flags; 778 AUDIT_PIPE_UNLOCK(ap); 779 error = 0; 780 break; 781 782 case AUDITPIPE_SET_PRESELECT_FLAGS: 783 AUDIT_PIPE_LOCK(ap); 784 maskp = (au_mask_t *)data; 785 ap->ap_preselect_flags = *maskp; 786 AUDIT_PIPE_UNLOCK(ap); 787 error = 0; 788 break; 789 790 case AUDITPIPE_GET_PRESELECT_NAFLAGS: 791 AUDIT_PIPE_LOCK(ap); 792 maskp = (au_mask_t *)data; 793 *maskp = ap->ap_preselect_naflags; 794 AUDIT_PIPE_UNLOCK(ap); 795 error = 0; 796 break; 797 798 case AUDITPIPE_SET_PRESELECT_NAFLAGS: 799 AUDIT_PIPE_LOCK(ap); 800 maskp = (au_mask_t *)data; 801 ap->ap_preselect_naflags = *maskp; 802 AUDIT_PIPE_UNLOCK(ap); 803 error = 0; 804 break; 805 806 case AUDITPIPE_GET_PRESELECT_AUID: 807 aip = (struct auditpipe_ioctl_preselect *)data; 808 error = audit_pipe_preselect_get(ap, aip->aip_auid, 809 &aip->aip_mask); 810 break; 811 812 case AUDITPIPE_SET_PRESELECT_AUID: 813 aip = (struct auditpipe_ioctl_preselect *)data; 814 audit_pipe_preselect_set(ap, aip->aip_auid, aip->aip_mask); 815 error = 0; 816 break; 817 818 case AUDITPIPE_DELETE_PRESELECT_AUID: 819 auid = *(au_id_t *)data; 820 error = audit_pipe_preselect_delete(ap, auid); 821 break; 822 823 case AUDITPIPE_FLUSH_PRESELECT_AUID: 824 audit_pipe_preselect_flush(ap); 825 error = 0; 826 break; 827 828 case AUDITPIPE_GET_PRESELECT_MODE: 829 AUDIT_PIPE_LOCK(ap); 830 *(int *)data = ap->ap_preselect_mode; 831 AUDIT_PIPE_UNLOCK(ap); 832 error = 0; 833 break; 834 835 case AUDITPIPE_SET_PRESELECT_MODE: 836 mode = *(int *)data; 837 switch (mode) { 838 case AUDITPIPE_PRESELECT_MODE_TRAIL: 839 case AUDITPIPE_PRESELECT_MODE_LOCAL: 840 AUDIT_PIPE_LOCK(ap); 841 ap->ap_preselect_mode = mode; 842 AUDIT_PIPE_UNLOCK(ap); 843 error = 0; 844 break; 845 846 default: 847 error = EINVAL; 848 } 849 break; 850 851 case AUDITPIPE_FLUSH: 852 if (AUDIT_PIPE_SX_XLOCK_SIG(ap) != 0) 853 return (EINTR); 854 AUDIT_PIPE_LOCK(ap); 855 audit_pipe_flush(ap); 856 AUDIT_PIPE_UNLOCK(ap); 857 AUDIT_PIPE_SX_XUNLOCK(ap); 858 error = 0; 859 break; 860 861 case AUDITPIPE_GET_MAXAUDITDATA: 862 *(u_int *)data = MAXAUDITDATA; 863 error = 0; 864 break; 865 866 case AUDITPIPE_GET_INSERTS: 867 *(u_int *)data = ap->ap_inserts; 868 error = 0; 869 break; 870 871 case AUDITPIPE_GET_READS: 872 *(u_int *)data = ap->ap_reads; 873 error = 0; 874 break; 875 876 case AUDITPIPE_GET_DROPS: 877 *(u_int *)data = ap->ap_drops; 878 error = 0; 879 break; 880 881 case AUDITPIPE_GET_TRUNCATES: 882 *(u_int *)data = 0; 883 error = 0; 884 break; 885 886 default: 887 error = ENOTTY; 888 } 889 return (error); 890 } 891 892 /* 893 * Audit pipe read. Read one or more partial or complete records to user 894 * memory. 895 */ 896 static int 897 audit_pipe_read(struct cdev *dev, struct uio *uio, int flag) 898 { 899 struct audit_pipe_entry *ape; 900 struct audit_pipe *ap; 901 u_int toread; 902 int error; 903 904 error = devfs_get_cdevpriv((void **)&ap); 905 if (error != 0) 906 return (error); 907 908 /* 909 * We hold an sx(9) lock over read and flush because we rely on the 910 * stability of a record in the queue during uiomove(9). 911 */ 912 if (AUDIT_PIPE_SX_XLOCK_SIG(ap) != 0) 913 return (EINTR); 914 AUDIT_PIPE_LOCK(ap); 915 while (TAILQ_EMPTY(&ap->ap_queue)) { 916 if (ap->ap_flags & AUDIT_PIPE_NBIO) { 917 AUDIT_PIPE_UNLOCK(ap); 918 AUDIT_PIPE_SX_XUNLOCK(ap); 919 return (EAGAIN); 920 } 921 error = cv_wait_sig(&ap->ap_cv, AUDIT_PIPE_MTX(ap)); 922 if (error) { 923 AUDIT_PIPE_UNLOCK(ap); 924 AUDIT_PIPE_SX_XUNLOCK(ap); 925 return (error); 926 } 927 } 928 929 /* 930 * Copy as many remaining bytes from the current record to userspace 931 * as we can. Keep processing records until we run out of records in 932 * the queue, or until the user buffer runs out of space. 933 * 934 * Note: we rely on the SX lock to maintain ape's stability here. 935 */ 936 ap->ap_reads++; 937 while ((ape = TAILQ_FIRST(&ap->ap_queue)) != NULL && 938 uio->uio_resid > 0) { 939 AUDIT_PIPE_LOCK_ASSERT(ap); 940 941 KASSERT(ape->ape_record_len > ap->ap_qoffset, 942 ("audit_pipe_read: record_len > qoffset (1)")); 943 toread = MIN(ape->ape_record_len - ap->ap_qoffset, 944 uio->uio_resid); 945 AUDIT_PIPE_UNLOCK(ap); 946 error = uiomove((char *)ape->ape_record + ap->ap_qoffset, 947 toread, uio); 948 if (error) { 949 AUDIT_PIPE_SX_XUNLOCK(ap); 950 return (error); 951 } 952 953 /* 954 * If the copy succeeded, update book-keeping, and if no 955 * bytes remain in the current record, free it. 956 */ 957 AUDIT_PIPE_LOCK(ap); 958 KASSERT(TAILQ_FIRST(&ap->ap_queue) == ape, 959 ("audit_pipe_read: queue out of sync after uiomove")); 960 ap->ap_qoffset += toread; 961 KASSERT(ape->ape_record_len >= ap->ap_qoffset, 962 ("audit_pipe_read: record_len >= qoffset (2)")); 963 if (ap->ap_qoffset == ape->ape_record_len) { 964 TAILQ_REMOVE(&ap->ap_queue, ape, ape_queue); 965 ap->ap_qbyteslen -= ape->ape_record_len; 966 audit_pipe_entry_free(ape); 967 ap->ap_qlen--; 968 ap->ap_qoffset = 0; 969 } 970 } 971 AUDIT_PIPE_UNLOCK(ap); 972 AUDIT_PIPE_SX_XUNLOCK(ap); 973 return (0); 974 } 975 976 /* 977 * Audit pipe poll. 978 */ 979 static int 980 audit_pipe_poll(struct cdev *dev, int events, struct thread *td) 981 { 982 struct audit_pipe *ap; 983 int error, revents; 984 985 revents = 0; 986 error = devfs_get_cdevpriv((void **)&ap); 987 if (error != 0) 988 return (error); 989 if (events & (POLLIN | POLLRDNORM)) { 990 AUDIT_PIPE_LOCK(ap); 991 if (TAILQ_FIRST(&ap->ap_queue) != NULL) 992 revents |= events & (POLLIN | POLLRDNORM); 993 else 994 selrecord(td, &ap->ap_selinfo); 995 AUDIT_PIPE_UNLOCK(ap); 996 } 997 return (revents); 998 } 999 1000 /* 1001 * Audit pipe kqfilter. 1002 */ 1003 static int 1004 audit_pipe_kqfilter(struct cdev *dev, struct knote *kn) 1005 { 1006 struct audit_pipe *ap; 1007 int error; 1008 1009 error = devfs_get_cdevpriv((void **)&ap); 1010 if (error != 0) 1011 return (error); 1012 if (kn->kn_filter != EVFILT_READ) 1013 return (EINVAL); 1014 1015 kn->kn_fop = &audit_pipe_read_filterops; 1016 kn->kn_hook = ap; 1017 1018 AUDIT_PIPE_LOCK(ap); 1019 knlist_add(&ap->ap_selinfo.si_note, kn, 1); 1020 AUDIT_PIPE_UNLOCK(ap); 1021 return (0); 1022 } 1023 1024 /* 1025 * Return true if there are records available for reading on the pipe. 1026 */ 1027 static int 1028 audit_pipe_kqread(struct knote *kn, long hint) 1029 { 1030 struct audit_pipe *ap; 1031 1032 ap = (struct audit_pipe *)kn->kn_hook; 1033 AUDIT_PIPE_LOCK_ASSERT(ap); 1034 1035 if (ap->ap_qlen != 0) { 1036 kn->kn_data = ap->ap_qbyteslen - ap->ap_qoffset; 1037 return (1); 1038 } else { 1039 kn->kn_data = 0; 1040 return (0); 1041 } 1042 } 1043 1044 /* 1045 * Detach kqueue state from audit pipe. 1046 */ 1047 static void 1048 audit_pipe_kqdetach(struct knote *kn) 1049 { 1050 struct audit_pipe *ap; 1051 1052 ap = (struct audit_pipe *)kn->kn_hook; 1053 AUDIT_PIPE_LOCK(ap); 1054 knlist_remove(&ap->ap_selinfo.si_note, kn, 1); 1055 AUDIT_PIPE_UNLOCK(ap); 1056 } 1057 1058 /* 1059 * Initialize the audit pipe system. 1060 */ 1061 static void 1062 audit_pipe_init(void *unused) 1063 { 1064 1065 TAILQ_INIT(&audit_pipe_list); 1066 AUDIT_PIPE_LIST_LOCK_INIT(); 1067 audit_pipe_dev = make_dev(&audit_pipe_cdevsw, 0, UID_ROOT, 1068 GID_WHEEL, 0600, "%s", AUDIT_PIPE_NAME); 1069 if (audit_pipe_dev == NULL) { 1070 AUDIT_PIPE_LIST_LOCK_DESTROY(); 1071 panic("Can't initialize audit pipe subsystem"); 1072 } 1073 } 1074 1075 SYSINIT(audit_pipe_init, SI_SUB_DRIVERS, SI_ORDER_MIDDLE, audit_pipe_init, 1076 NULL); 1077