xref: /freebsd/sys/security/audit/audit_pipe.c (revision 7d8f797b725e3efc0a4256554654780df83c456c)
1 /*-
2  * Copyright (c) 2006 Robert N. M. Watson
3  * Copyright (c) 2008-2009 Apple, Inc.
4  * All rights reserved.
5  *
6  * This software was developed by Robert Watson for the TrustedBSD Project.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer.
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27  * SUCH DAMAGE.
28  */
29 
30 #include <sys/cdefs.h>
31 __FBSDID("$FreeBSD$");
32 
33 #include <sys/param.h>
34 #include <sys/condvar.h>
35 #include <sys/conf.h>
36 #include <sys/eventhandler.h>
37 #include <sys/filio.h>
38 #include <sys/kernel.h>
39 #include <sys/lock.h>
40 #include <sys/malloc.h>
41 #include <sys/mutex.h>
42 #include <sys/poll.h>
43 #include <sys/proc.h>
44 #include <sys/queue.h>
45 #include <sys/rwlock.h>
46 #include <sys/selinfo.h>
47 #include <sys/sigio.h>
48 #include <sys/signal.h>
49 #include <sys/signalvar.h>
50 #include <sys/sx.h>
51 #include <sys/systm.h>
52 #include <sys/uio.h>
53 
54 #include <security/audit/audit.h>
55 #include <security/audit/audit_ioctl.h>
56 #include <security/audit/audit_private.h>
57 
58 /*
59  * Implementation of a clonable special device providing a live stream of BSM
60  * audit data.  Consumers receive a "tee" of the system audit trail by
61  * default, but may also define alternative event selections using ioctls.
62  * This interface provides unreliable but timely access to audit events.
63  * Consumers should be very careful to avoid introducing event cycles.
64  */
65 
66 /*
67  * Memory types.
68  */
69 static MALLOC_DEFINE(M_AUDIT_PIPE, "audit_pipe", "Audit pipes");
70 static MALLOC_DEFINE(M_AUDIT_PIPE_ENTRY, "audit_pipeent",
71     "Audit pipe entries and buffers");
72 static MALLOC_DEFINE(M_AUDIT_PIPE_PRESELECT, "audit_pipe_presel",
73     "Audit pipe preselection structure");
74 
75 /*
76  * Audit pipe buffer parameters.
77  */
78 #define	AUDIT_PIPE_QLIMIT_DEFAULT	(128)
79 #define	AUDIT_PIPE_QLIMIT_MIN		(1)
80 #define	AUDIT_PIPE_QLIMIT_MAX		(1024)
81 
82 /*
83  * Description of an entry in an audit_pipe.
84  */
85 struct audit_pipe_entry {
86 	void				*ape_record;
87 	u_int				 ape_record_len;
88 	TAILQ_ENTRY(audit_pipe_entry)	 ape_queue;
89 };
90 
91 /*
92  * Audit pipes allow processes to express "interest" in the set of records
93  * that are delivered via the pipe.  They do this in a similar manner to the
94  * mechanism for audit trail configuration, by expressing two global masks,
95  * and optionally expressing per-auid masks.  The following data structure is
96  * the per-auid mask description.  The global state is stored in the audit
97  * pipe data structure.
98  *
99  * We may want to consider a more space/time-efficient data structure once
100  * usage patterns for per-auid specifications are clear.
101  */
102 struct audit_pipe_preselect {
103 	au_id_t					 app_auid;
104 	au_mask_t				 app_mask;
105 	TAILQ_ENTRY(audit_pipe_preselect)	 app_list;
106 };
107 
108 /*
109  * Description of an individual audit_pipe.  Consists largely of a bounded
110  * length queue.
111  */
112 #define	AUDIT_PIPE_ASYNC	0x00000001
113 #define	AUDIT_PIPE_NBIO		0x00000002
114 struct audit_pipe {
115 	u_int				 ap_flags;
116 
117 	struct selinfo			 ap_selinfo;
118 	struct sigio			*ap_sigio;
119 
120 	/*
121 	 * Per-pipe mutex protecting most fields in this data structure.
122 	 */
123 	struct mtx			 ap_mtx;
124 
125 	/*
126 	 * Per-pipe sleep lock serializing user-generated reads and flushes.
127 	 * uiomove() is called to copy out the current head record's data
128 	 * while the record remains in the queue, so we prevent other threads
129 	 * from removing it using this lock.
130 	 */
131 	struct sx			 ap_sx;
132 
133 	/*
134 	 * Condition variable to signal when data has been delivered to a
135 	 * pipe.
136 	 */
137 	struct cv			 ap_cv;
138 
139 	/*
140 	 * Various queue-reated variables: qlen and qlimit are a count of
141 	 * records in the queue; qbyteslen is the number of bytes of data
142 	 * across all records, and qoffset is the amount read so far of the
143 	 * first record in the queue.  The number of bytes available for
144 	 * reading in the queue is qbyteslen - qoffset.
145 	 */
146 	u_int				 ap_qlen;
147 	u_int				 ap_qlimit;
148 	u_int				 ap_qbyteslen;
149 	u_int				 ap_qoffset;
150 
151 	/*
152 	 * Per-pipe operation statistics.
153 	 */
154 	u_int64_t			 ap_inserts;	/* Records added. */
155 	u_int64_t			 ap_reads;	/* Records read. */
156 	u_int64_t			 ap_drops;	/* Records dropped. */
157 
158 	/*
159 	 * Fields relating to pipe interest: global masks for unmatched
160 	 * processes (attributable, non-attributable), and a list of specific
161 	 * interest specifications by auid.
162 	 */
163 	int				 ap_preselect_mode;
164 	au_mask_t			 ap_preselect_flags;
165 	au_mask_t			 ap_preselect_naflags;
166 	TAILQ_HEAD(, audit_pipe_preselect)	ap_preselect_list;
167 
168 	/*
169 	 * Current pending record list.  Protected by a combination of ap_mtx
170 	 * and ap_sx.  Note particularly that *both* locks are required to
171 	 * remove a record from the head of the queue, as an in-progress read
172 	 * may sleep while copying and therefore cannot hold ap_mtx.
173 	 */
174 	TAILQ_HEAD(, audit_pipe_entry)	 ap_queue;
175 
176 	/*
177 	 * Global pipe list.
178 	 */
179 	TAILQ_ENTRY(audit_pipe)		 ap_list;
180 };
181 
182 #define	AUDIT_PIPE_LOCK(ap)		mtx_lock(&(ap)->ap_mtx)
183 #define	AUDIT_PIPE_LOCK_ASSERT(ap)	mtx_assert(&(ap)->ap_mtx, MA_OWNED)
184 #define	AUDIT_PIPE_LOCK_DESTROY(ap)	mtx_destroy(&(ap)->ap_mtx)
185 #define	AUDIT_PIPE_LOCK_INIT(ap)	mtx_init(&(ap)->ap_mtx, \
186 					    "audit_pipe_mtx", NULL, MTX_DEF)
187 #define	AUDIT_PIPE_UNLOCK(ap)		mtx_unlock(&(ap)->ap_mtx)
188 #define	AUDIT_PIPE_MTX(ap)		(&(ap)->ap_mtx)
189 
190 #define	AUDIT_PIPE_SX_LOCK_DESTROY(ap)	sx_destroy(&(ap)->ap_sx)
191 #define	AUDIT_PIPE_SX_LOCK_INIT(ap)	sx_init(&(ap)->ap_sx, "audit_pipe_sx")
192 #define	AUDIT_PIPE_SX_XLOCK_ASSERT(ap)	sx_assert(&(ap)->ap_sx, SA_XLOCKED)
193 #define	AUDIT_PIPE_SX_XLOCK_SIG(ap)	sx_xlock_sig(&(ap)->ap_sx)
194 #define	AUDIT_PIPE_SX_XUNLOCK(ap)	sx_xunlock(&(ap)->ap_sx)
195 
196 /*
197  * Global list of audit pipes, rwlock to protect it.  Individual record
198  * queues on pipes are protected by per-pipe locks; these locks synchronize
199  * between threads walking the list to deliver to individual pipes and add/
200  * remove of pipes, and are mostly acquired for read.
201  */
202 static TAILQ_HEAD(, audit_pipe)	 audit_pipe_list;
203 static struct rwlock		 audit_pipe_lock;
204 
205 #define	AUDIT_PIPE_LIST_LOCK_INIT()	rw_init(&audit_pipe_lock, \
206 					    "audit_pipe_list_lock")
207 #define	AUDIT_PIPE_LIST_LOCK_DESTROY()	rw_destroy(&audit_pipe_lock)
208 #define	AUDIT_PIPE_LIST_RLOCK()		rw_rlock(&audit_pipe_lock)
209 #define	AUDIT_PIPE_LIST_RUNLOCK()	rw_runlock(&audit_pipe_lock)
210 #define	AUDIT_PIPE_LIST_WLOCK()		rw_wlock(&audit_pipe_lock)
211 #define	AUDIT_PIPE_LIST_WLOCK_ASSERT()	rw_assert(&audit_pipe_lock, \
212 					    RA_WLOCKED)
213 #define	AUDIT_PIPE_LIST_WUNLOCK()	rw_wunlock(&audit_pipe_lock)
214 
215 /*
216  * Audit pipe device.
217  */
218 static struct cdev	*audit_pipe_dev;
219 
220 #define AUDIT_PIPE_NAME	"auditpipe"
221 
222 /*
223  * Special device methods and definition.
224  */
225 static d_open_t		audit_pipe_open;
226 static d_close_t	audit_pipe_close;
227 static d_read_t		audit_pipe_read;
228 static d_ioctl_t	audit_pipe_ioctl;
229 static d_poll_t		audit_pipe_poll;
230 static d_kqfilter_t	audit_pipe_kqfilter;
231 
232 static struct cdevsw	audit_pipe_cdevsw = {
233 	.d_version =	D_VERSION,
234 	.d_open =	audit_pipe_open,
235 	.d_close =	audit_pipe_close,
236 	.d_read =	audit_pipe_read,
237 	.d_ioctl =	audit_pipe_ioctl,
238 	.d_poll =	audit_pipe_poll,
239 	.d_kqfilter =	audit_pipe_kqfilter,
240 	.d_name =	AUDIT_PIPE_NAME,
241 };
242 
243 static int	audit_pipe_kqread(struct knote *note, long hint);
244 static void	audit_pipe_kqdetach(struct knote *note);
245 
246 static struct filterops audit_pipe_read_filterops = {
247 	.f_isfd =	1,
248 	.f_attach =	NULL,
249 	.f_detach =	audit_pipe_kqdetach,
250 	.f_event =	audit_pipe_kqread,
251 };
252 
253 /*
254  * Some global statistics on audit pipes.
255  */
256 static int		audit_pipe_count;	/* Current number of pipes. */
257 static u_int64_t	audit_pipe_ever;	/* Pipes ever allocated. */
258 static u_int64_t	audit_pipe_records;	/* Records seen. */
259 static u_int64_t	audit_pipe_drops;	/* Global record drop count. */
260 
261 /*
262  * Free an audit pipe entry.
263  */
264 static void
265 audit_pipe_entry_free(struct audit_pipe_entry *ape)
266 {
267 
268 	free(ape->ape_record, M_AUDIT_PIPE_ENTRY);
269 	free(ape, M_AUDIT_PIPE_ENTRY);
270 }
271 
272 /*
273  * Find an audit pipe preselection specification for an auid, if any.
274  */
275 static struct audit_pipe_preselect *
276 audit_pipe_preselect_find(struct audit_pipe *ap, au_id_t auid)
277 {
278 	struct audit_pipe_preselect *app;
279 
280 	AUDIT_PIPE_LOCK_ASSERT(ap);
281 
282 	TAILQ_FOREACH(app, &ap->ap_preselect_list, app_list) {
283 		if (app->app_auid == auid)
284 			return (app);
285 	}
286 	return (NULL);
287 }
288 
289 /*
290  * Query the per-pipe mask for a specific auid.
291  */
292 static int
293 audit_pipe_preselect_get(struct audit_pipe *ap, au_id_t auid,
294     au_mask_t *maskp)
295 {
296 	struct audit_pipe_preselect *app;
297 	int error;
298 
299 	AUDIT_PIPE_LOCK(ap);
300 	app = audit_pipe_preselect_find(ap, auid);
301 	if (app != NULL) {
302 		*maskp = app->app_mask;
303 		error = 0;
304 	} else
305 		error = ENOENT;
306 	AUDIT_PIPE_UNLOCK(ap);
307 	return (error);
308 }
309 
310 /*
311  * Set the per-pipe mask for a specific auid.  Add a new entry if needed;
312  * otherwise, update the current entry.
313  */
314 static void
315 audit_pipe_preselect_set(struct audit_pipe *ap, au_id_t auid, au_mask_t mask)
316 {
317 	struct audit_pipe_preselect *app, *app_new;
318 
319 	/*
320 	 * Pessimistically assume that the auid doesn't already have a mask
321 	 * set, and allocate.  We will free it if it is unneeded.
322 	 */
323 	app_new = malloc(sizeof(*app_new), M_AUDIT_PIPE_PRESELECT, M_WAITOK);
324 	AUDIT_PIPE_LOCK(ap);
325 	app = audit_pipe_preselect_find(ap, auid);
326 	if (app == NULL) {
327 		app = app_new;
328 		app_new = NULL;
329 		app->app_auid = auid;
330 		TAILQ_INSERT_TAIL(&ap->ap_preselect_list, app, app_list);
331 	}
332 	app->app_mask = mask;
333 	AUDIT_PIPE_UNLOCK(ap);
334 	if (app_new != NULL)
335 		free(app_new, M_AUDIT_PIPE_PRESELECT);
336 }
337 
338 /*
339  * Delete a per-auid mask on an audit pipe.
340  */
341 static int
342 audit_pipe_preselect_delete(struct audit_pipe *ap, au_id_t auid)
343 {
344 	struct audit_pipe_preselect *app;
345 	int error;
346 
347 	AUDIT_PIPE_LOCK(ap);
348 	app = audit_pipe_preselect_find(ap, auid);
349 	if (app != NULL) {
350 		TAILQ_REMOVE(&ap->ap_preselect_list, app, app_list);
351 		error = 0;
352 	} else
353 		error = ENOENT;
354 	AUDIT_PIPE_UNLOCK(ap);
355 	if (app != NULL)
356 		free(app, M_AUDIT_PIPE_PRESELECT);
357 	return (error);
358 }
359 
360 /*
361  * Delete all per-auid masks on an audit pipe.
362  */
363 static void
364 audit_pipe_preselect_flush_locked(struct audit_pipe *ap)
365 {
366 	struct audit_pipe_preselect *app;
367 
368 	AUDIT_PIPE_LOCK_ASSERT(ap);
369 
370 	while ((app = TAILQ_FIRST(&ap->ap_preselect_list)) != NULL) {
371 		TAILQ_REMOVE(&ap->ap_preselect_list, app, app_list);
372 		free(app, M_AUDIT_PIPE_PRESELECT);
373 	}
374 }
375 
376 static void
377 audit_pipe_preselect_flush(struct audit_pipe *ap)
378 {
379 
380 	AUDIT_PIPE_LOCK(ap);
381 	audit_pipe_preselect_flush_locked(ap);
382 	AUDIT_PIPE_UNLOCK(ap);
383 }
384 
385 /*-
386  * Determine whether a specific audit pipe matches a record with these
387  * properties.  Algorithm is as follows:
388  *
389  * - If the pipe is configured to track the default trail configuration, then
390  *   use the results of global preselection matching.
391  * - If not, search for a specifically configured auid entry matching the
392  *   event.  If an entry is found, use that.
393  * - Otherwise, use the default flags or naflags configured for the pipe.
394  */
395 static int
396 audit_pipe_preselect_check(struct audit_pipe *ap, au_id_t auid,
397     au_event_t event, au_class_t class, int sorf, int trail_preselect)
398 {
399 	struct audit_pipe_preselect *app;
400 
401 	AUDIT_PIPE_LOCK_ASSERT(ap);
402 
403 	switch (ap->ap_preselect_mode) {
404 	case AUDITPIPE_PRESELECT_MODE_TRAIL:
405 		return (trail_preselect);
406 
407 	case AUDITPIPE_PRESELECT_MODE_LOCAL:
408 		app = audit_pipe_preselect_find(ap, auid);
409 		if (app == NULL) {
410 			if (auid == AU_DEFAUDITID)
411 				return (au_preselect(event, class,
412 				    &ap->ap_preselect_naflags, sorf));
413 			else
414 				return (au_preselect(event, class,
415 				    &ap->ap_preselect_flags, sorf));
416 		} else
417 			return (au_preselect(event, class, &app->app_mask,
418 			    sorf));
419 
420 	default:
421 		panic("audit_pipe_preselect_check: mode %d",
422 		    ap->ap_preselect_mode);
423 	}
424 
425 	return (0);
426 }
427 
428 /*
429  * Determine whether there exists a pipe interested in a record with specific
430  * properties.
431  */
432 int
433 audit_pipe_preselect(au_id_t auid, au_event_t event, au_class_t class,
434     int sorf, int trail_preselect)
435 {
436 	struct audit_pipe *ap;
437 
438 	/* Lockless read to avoid acquiring the global lock if not needed. */
439 	if (TAILQ_EMPTY(&audit_pipe_list))
440 		return (0);
441 
442 	AUDIT_PIPE_LIST_RLOCK();
443 	TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) {
444 		AUDIT_PIPE_LOCK(ap);
445 		if (audit_pipe_preselect_check(ap, auid, event, class, sorf,
446 		    trail_preselect)) {
447 			AUDIT_PIPE_UNLOCK(ap);
448 			AUDIT_PIPE_LIST_RUNLOCK();
449 			return (1);
450 		}
451 		AUDIT_PIPE_UNLOCK(ap);
452 	}
453 	AUDIT_PIPE_LIST_RUNLOCK();
454 	return (0);
455 }
456 
457 /*
458  * Append individual record to a queue -- allocate queue-local buffer, and
459  * add to the queue.  If the queue is full or we can't allocate memory, drop
460  * the newest record.
461  */
462 static void
463 audit_pipe_append(struct audit_pipe *ap, void *record, u_int record_len)
464 {
465 	struct audit_pipe_entry *ape;
466 
467 	AUDIT_PIPE_LOCK_ASSERT(ap);
468 
469 	if (ap->ap_qlen >= ap->ap_qlimit) {
470 		ap->ap_drops++;
471 		audit_pipe_drops++;
472 		return;
473 	}
474 
475 	ape = malloc(sizeof(*ape), M_AUDIT_PIPE_ENTRY, M_NOWAIT | M_ZERO);
476 	if (ape == NULL) {
477 		ap->ap_drops++;
478 		audit_pipe_drops++;
479 		return;
480 	}
481 
482 	ape->ape_record = malloc(record_len, M_AUDIT_PIPE_ENTRY, M_NOWAIT);
483 	if (ape->ape_record == NULL) {
484 		free(ape, M_AUDIT_PIPE_ENTRY);
485 		ap->ap_drops++;
486 		audit_pipe_drops++;
487 		return;
488 	}
489 
490 	bcopy(record, ape->ape_record, record_len);
491 	ape->ape_record_len = record_len;
492 
493 	TAILQ_INSERT_TAIL(&ap->ap_queue, ape, ape_queue);
494 	ap->ap_inserts++;
495 	ap->ap_qlen++;
496 	ap->ap_qbyteslen += ape->ape_record_len;
497 	selwakeuppri(&ap->ap_selinfo, PSOCK);
498 	KNOTE_LOCKED(&ap->ap_selinfo.si_note, 0);
499 	if (ap->ap_flags & AUDIT_PIPE_ASYNC)
500 		pgsigio(&ap->ap_sigio, SIGIO, 0);
501 	cv_broadcast(&ap->ap_cv);
502 }
503 
504 /*
505  * audit_pipe_submit(): audit_worker submits audit records via this
506  * interface, which arranges for them to be delivered to pipe queues.
507  */
508 void
509 audit_pipe_submit(au_id_t auid, au_event_t event, au_class_t class, int sorf,
510     int trail_select, void *record, u_int record_len)
511 {
512 	struct audit_pipe *ap;
513 
514 	/*
515 	 * Lockless read to avoid lock overhead if pipes are not in use.
516 	 */
517 	if (TAILQ_FIRST(&audit_pipe_list) == NULL)
518 		return;
519 
520 	AUDIT_PIPE_LIST_RLOCK();
521 	TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) {
522 		AUDIT_PIPE_LOCK(ap);
523 		if (audit_pipe_preselect_check(ap, auid, event, class, sorf,
524 		    trail_select))
525 			audit_pipe_append(ap, record, record_len);
526 		AUDIT_PIPE_UNLOCK(ap);
527 	}
528 	AUDIT_PIPE_LIST_RUNLOCK();
529 
530 	/* Unlocked increment. */
531 	audit_pipe_records++;
532 }
533 
534 /*
535  * audit_pipe_submit_user(): the same as audit_pipe_submit(), except that
536  * since we don't currently have selection information available, it is
537  * delivered to the pipe unconditionally.
538  *
539  * XXXRW: This is a bug.  The BSM check routine for submitting a user record
540  * should parse that information and return it.
541  */
542 void
543 audit_pipe_submit_user(void *record, u_int record_len)
544 {
545 	struct audit_pipe *ap;
546 
547 	/*
548 	 * Lockless read to avoid lock overhead if pipes are not in use.
549 	 */
550 	if (TAILQ_FIRST(&audit_pipe_list) == NULL)
551 		return;
552 
553 	AUDIT_PIPE_LIST_RLOCK();
554 	TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) {
555 		AUDIT_PIPE_LOCK(ap);
556 		audit_pipe_append(ap, record, record_len);
557 		AUDIT_PIPE_UNLOCK(ap);
558 	}
559 	AUDIT_PIPE_LIST_RUNLOCK();
560 
561 	/* Unlocked increment. */
562 	audit_pipe_records++;
563 }
564 
565 /*
566  * Allocate a new audit pipe.  Connects the pipe, on success, to the global
567  * list and updates statistics.
568  */
569 static struct audit_pipe *
570 audit_pipe_alloc(void)
571 {
572 	struct audit_pipe *ap;
573 
574 	ap = malloc(sizeof(*ap), M_AUDIT_PIPE, M_NOWAIT | M_ZERO);
575 	if (ap == NULL)
576 		return (NULL);
577 	ap->ap_qlimit = AUDIT_PIPE_QLIMIT_DEFAULT;
578 	TAILQ_INIT(&ap->ap_queue);
579 	knlist_init_mtx(&ap->ap_selinfo.si_note, AUDIT_PIPE_MTX(ap));
580 	AUDIT_PIPE_LOCK_INIT(ap);
581 	AUDIT_PIPE_SX_LOCK_INIT(ap);
582 	cv_init(&ap->ap_cv, "audit_pipe");
583 
584 	/*
585 	 * Default flags, naflags, and auid-specific preselection settings to
586 	 * 0.  Initialize the mode to the global trail so that if praudit(1)
587 	 * is run on /dev/auditpipe, it sees events associated with the
588 	 * default trail.  Pipe-aware application can clear the flag, set
589 	 * custom masks, and flush the pipe as needed.
590 	 */
591 	bzero(&ap->ap_preselect_flags, sizeof(ap->ap_preselect_flags));
592 	bzero(&ap->ap_preselect_naflags, sizeof(ap->ap_preselect_naflags));
593 	TAILQ_INIT(&ap->ap_preselect_list);
594 	ap->ap_preselect_mode = AUDITPIPE_PRESELECT_MODE_TRAIL;
595 
596 	/*
597 	 * Add to global list and update global statistics.
598 	 */
599 	AUDIT_PIPE_LIST_WLOCK();
600 	TAILQ_INSERT_HEAD(&audit_pipe_list, ap, ap_list);
601 	audit_pipe_count++;
602 	audit_pipe_ever++;
603 	AUDIT_PIPE_LIST_WUNLOCK();
604 
605 	return (ap);
606 }
607 
608 /*
609  * Flush all records currently present in an audit pipe; assume mutex is held.
610  */
611 static void
612 audit_pipe_flush(struct audit_pipe *ap)
613 {
614 	struct audit_pipe_entry *ape;
615 
616 	AUDIT_PIPE_LOCK_ASSERT(ap);
617 
618 	while ((ape = TAILQ_FIRST(&ap->ap_queue)) != NULL) {
619 		TAILQ_REMOVE(&ap->ap_queue, ape, ape_queue);
620 		ap->ap_qbyteslen -= ape->ape_record_len;
621 		audit_pipe_entry_free(ape);
622 		ap->ap_qlen--;
623 	}
624 	ap->ap_qoffset = 0;
625 
626 	KASSERT(ap->ap_qlen == 0, ("audit_pipe_free: ap_qbyteslen"));
627 	KASSERT(ap->ap_qbyteslen == 0, ("audit_pipe_flush: ap_qbyteslen"));
628 }
629 
630 /*
631  * Free an audit pipe; this means freeing all preselection state and all
632  * records in the pipe.  Assumes global write lock and pipe mutex are held to
633  * prevent any new records from being inserted during the free, and that the
634  * audit pipe is still on the global list.
635  */
636 static void
637 audit_pipe_free(struct audit_pipe *ap)
638 {
639 
640 	AUDIT_PIPE_LIST_WLOCK_ASSERT();
641 	AUDIT_PIPE_LOCK_ASSERT(ap);
642 
643 	audit_pipe_preselect_flush_locked(ap);
644 	audit_pipe_flush(ap);
645 	cv_destroy(&ap->ap_cv);
646 	AUDIT_PIPE_SX_LOCK_DESTROY(ap);
647 	AUDIT_PIPE_LOCK_DESTROY(ap);
648 	seldrain(&ap->ap_selinfo);
649 	knlist_destroy(&ap->ap_selinfo.si_note);
650 	TAILQ_REMOVE(&audit_pipe_list, ap, ap_list);
651 	free(ap, M_AUDIT_PIPE);
652 	audit_pipe_count--;
653 }
654 
655 static void
656 audit_pipe_dtor(void *arg)
657 {
658 	struct audit_pipe *ap;
659 
660 	ap = arg;
661 	AUDIT_PIPE_LIST_WLOCK();
662 	AUDIT_PIPE_LOCK(ap);
663 	audit_pipe_free(ap);
664 	AUDIT_PIPE_LIST_WUNLOCK();
665 }
666 
667 /*
668  * Audit pipe open method.  Explicit privilege check isn't used as this
669  * allows file permissions on the special device to be used to grant audit
670  * review access.  Those file permissions should be managed carefully.
671  */
672 static int
673 audit_pipe_open(struct cdev *dev, int oflags, int devtype, struct thread *td)
674 {
675 	struct audit_pipe *ap;
676 	int error;
677 
678 	ap = audit_pipe_alloc();
679 	if (ap == NULL) {
680 		return (ENOMEM);
681 	}
682 	fsetown(td->td_proc->p_pid, &ap->ap_sigio);
683 	error = devfs_set_cdevpriv(ap, audit_pipe_dtor);
684 	if (error != 0) {
685 		AUDIT_PIPE_LIST_WLOCK();
686 		audit_pipe_free(ap);
687 		AUDIT_PIPE_LIST_WUNLOCK();
688 	}
689 	return (0);
690 }
691 
692 /*
693  * Close audit pipe, tear down all records, etc.
694  */
695 static int
696 audit_pipe_close(struct cdev *dev, int fflag, int devtype, struct thread *td)
697 {
698 	struct audit_pipe *ap;
699 	int error;
700 
701 	error = devfs_get_cdevpriv((void **)&ap);
702 	if (error != 0)
703 		return (error);
704 	funsetown(&ap->ap_sigio);
705 	return (0);
706 }
707 
708 /*
709  * Audit pipe ioctl() routine.  Handle file descriptor and audit pipe layer
710  * commands.
711  */
712 static int
713 audit_pipe_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag,
714     struct thread *td)
715 {
716 	struct auditpipe_ioctl_preselect *aip;
717 	struct audit_pipe *ap;
718 	au_mask_t *maskp;
719 	int error, mode;
720 	au_id_t auid;
721 
722 	error = devfs_get_cdevpriv((void **)&ap);
723 	if (error != 0)
724 		return (error);
725 
726 	/*
727 	 * Audit pipe ioctls: first come standard device node ioctls, then
728 	 * manipulation of pipe settings, and finally, statistics query
729 	 * ioctls.
730 	 */
731 	switch (cmd) {
732 	case FIONBIO:
733 		AUDIT_PIPE_LOCK(ap);
734 		if (*(int *)data)
735 			ap->ap_flags |= AUDIT_PIPE_NBIO;
736 		else
737 			ap->ap_flags &= ~AUDIT_PIPE_NBIO;
738 		AUDIT_PIPE_UNLOCK(ap);
739 		error = 0;
740 		break;
741 
742 	case FIONREAD:
743 		AUDIT_PIPE_LOCK(ap);
744 		*(int *)data = ap->ap_qbyteslen - ap->ap_qoffset;
745 		AUDIT_PIPE_UNLOCK(ap);
746 		error = 0;
747 		break;
748 
749 	case FIOASYNC:
750 		AUDIT_PIPE_LOCK(ap);
751 		if (*(int *)data)
752 			ap->ap_flags |= AUDIT_PIPE_ASYNC;
753 		else
754 			ap->ap_flags &= ~AUDIT_PIPE_ASYNC;
755 		AUDIT_PIPE_UNLOCK(ap);
756 		error = 0;
757 		break;
758 
759 	case FIOSETOWN:
760 		error = fsetown(*(int *)data, &ap->ap_sigio);
761 		break;
762 
763 	case FIOGETOWN:
764 		*(int *)data = fgetown(&ap->ap_sigio);
765 		error = 0;
766 		break;
767 
768 	case AUDITPIPE_GET_QLEN:
769 		*(u_int *)data = ap->ap_qlen;
770 		error = 0;
771 		break;
772 
773 	case AUDITPIPE_GET_QLIMIT:
774 		*(u_int *)data = ap->ap_qlimit;
775 		error = 0;
776 		break;
777 
778 	case AUDITPIPE_SET_QLIMIT:
779 		/* Lockless integer write. */
780 		if (*(u_int *)data >= AUDIT_PIPE_QLIMIT_MIN ||
781 		    *(u_int *)data <= AUDIT_PIPE_QLIMIT_MAX) {
782 			ap->ap_qlimit = *(u_int *)data;
783 			error = 0;
784 		} else
785 			error = EINVAL;
786 		break;
787 
788 	case AUDITPIPE_GET_QLIMIT_MIN:
789 		*(u_int *)data = AUDIT_PIPE_QLIMIT_MIN;
790 		error = 0;
791 		break;
792 
793 	case AUDITPIPE_GET_QLIMIT_MAX:
794 		*(u_int *)data = AUDIT_PIPE_QLIMIT_MAX;
795 		error = 0;
796 		break;
797 
798 	case AUDITPIPE_GET_PRESELECT_FLAGS:
799 		AUDIT_PIPE_LOCK(ap);
800 		maskp = (au_mask_t *)data;
801 		*maskp = ap->ap_preselect_flags;
802 		AUDIT_PIPE_UNLOCK(ap);
803 		error = 0;
804 		break;
805 
806 	case AUDITPIPE_SET_PRESELECT_FLAGS:
807 		AUDIT_PIPE_LOCK(ap);
808 		maskp = (au_mask_t *)data;
809 		ap->ap_preselect_flags = *maskp;
810 		AUDIT_PIPE_UNLOCK(ap);
811 		error = 0;
812 		break;
813 
814 	case AUDITPIPE_GET_PRESELECT_NAFLAGS:
815 		AUDIT_PIPE_LOCK(ap);
816 		maskp = (au_mask_t *)data;
817 		*maskp = ap->ap_preselect_naflags;
818 		AUDIT_PIPE_UNLOCK(ap);
819 		error = 0;
820 		break;
821 
822 	case AUDITPIPE_SET_PRESELECT_NAFLAGS:
823 		AUDIT_PIPE_LOCK(ap);
824 		maskp = (au_mask_t *)data;
825 		ap->ap_preselect_naflags = *maskp;
826 		AUDIT_PIPE_UNLOCK(ap);
827 		error = 0;
828 		break;
829 
830 	case AUDITPIPE_GET_PRESELECT_AUID:
831 		aip = (struct auditpipe_ioctl_preselect *)data;
832 		error = audit_pipe_preselect_get(ap, aip->aip_auid,
833 		    &aip->aip_mask);
834 		break;
835 
836 	case AUDITPIPE_SET_PRESELECT_AUID:
837 		aip = (struct auditpipe_ioctl_preselect *)data;
838 		audit_pipe_preselect_set(ap, aip->aip_auid, aip->aip_mask);
839 		error = 0;
840 		break;
841 
842 	case AUDITPIPE_DELETE_PRESELECT_AUID:
843 		auid = *(au_id_t *)data;
844 		error = audit_pipe_preselect_delete(ap, auid);
845 		break;
846 
847 	case AUDITPIPE_FLUSH_PRESELECT_AUID:
848 		audit_pipe_preselect_flush(ap);
849 		error = 0;
850 		break;
851 
852 	case AUDITPIPE_GET_PRESELECT_MODE:
853 		AUDIT_PIPE_LOCK(ap);
854 		*(int *)data = ap->ap_preselect_mode;
855 		AUDIT_PIPE_UNLOCK(ap);
856 		error = 0;
857 		break;
858 
859 	case AUDITPIPE_SET_PRESELECT_MODE:
860 		mode = *(int *)data;
861 		switch (mode) {
862 		case AUDITPIPE_PRESELECT_MODE_TRAIL:
863 		case AUDITPIPE_PRESELECT_MODE_LOCAL:
864 			AUDIT_PIPE_LOCK(ap);
865 			ap->ap_preselect_mode = mode;
866 			AUDIT_PIPE_UNLOCK(ap);
867 			error = 0;
868 			break;
869 
870 		default:
871 			error = EINVAL;
872 		}
873 		break;
874 
875 	case AUDITPIPE_FLUSH:
876 		if (AUDIT_PIPE_SX_XLOCK_SIG(ap) != 0)
877 			return (EINTR);
878 		AUDIT_PIPE_LOCK(ap);
879 		audit_pipe_flush(ap);
880 		AUDIT_PIPE_UNLOCK(ap);
881 		AUDIT_PIPE_SX_XUNLOCK(ap);
882 		error = 0;
883 		break;
884 
885 	case AUDITPIPE_GET_MAXAUDITDATA:
886 		*(u_int *)data = MAXAUDITDATA;
887 		error = 0;
888 		break;
889 
890 	case AUDITPIPE_GET_INSERTS:
891 		*(u_int *)data = ap->ap_inserts;
892 		error = 0;
893 		break;
894 
895 	case AUDITPIPE_GET_READS:
896 		*(u_int *)data = ap->ap_reads;
897 		error = 0;
898 		break;
899 
900 	case AUDITPIPE_GET_DROPS:
901 		*(u_int *)data = ap->ap_drops;
902 		error = 0;
903 		break;
904 
905 	case AUDITPIPE_GET_TRUNCATES:
906 		*(u_int *)data = 0;
907 		error = 0;
908 		break;
909 
910 	default:
911 		error = ENOTTY;
912 	}
913 	return (error);
914 }
915 
916 /*
917  * Audit pipe read.  Read one or more partial or complete records to user
918  * memory.
919  */
920 static int
921 audit_pipe_read(struct cdev *dev, struct uio *uio, int flag)
922 {
923 	struct audit_pipe_entry *ape;
924 	struct audit_pipe *ap;
925 	u_int toread;
926 	int error;
927 
928 	error = devfs_get_cdevpriv((void **)&ap);
929 	if (error != 0)
930 		return (error);
931 
932 	/*
933 	 * We hold an sx(9) lock over read and flush because we rely on the
934 	 * stability of a record in the queue during uiomove(9).
935 	 */
936 	if (AUDIT_PIPE_SX_XLOCK_SIG(ap) != 0)
937 		return (EINTR);
938 	AUDIT_PIPE_LOCK(ap);
939 	while (TAILQ_EMPTY(&ap->ap_queue)) {
940 		if (ap->ap_flags & AUDIT_PIPE_NBIO) {
941 			AUDIT_PIPE_UNLOCK(ap);
942 			AUDIT_PIPE_SX_XUNLOCK(ap);
943 			return (EAGAIN);
944 		}
945 		error = cv_wait_sig(&ap->ap_cv, AUDIT_PIPE_MTX(ap));
946 		if (error) {
947 			AUDIT_PIPE_UNLOCK(ap);
948 			AUDIT_PIPE_SX_XUNLOCK(ap);
949 			return (error);
950 		}
951 	}
952 
953 	/*
954 	 * Copy as many remaining bytes from the current record to userspace
955 	 * as we can.  Keep processing records until we run out of records in
956 	 * the queue, or until the user buffer runs out of space.
957 	 *
958 	 * Note: we rely on the SX lock to maintain ape's stability here.
959 	 */
960 	ap->ap_reads++;
961 	while ((ape = TAILQ_FIRST(&ap->ap_queue)) != NULL &&
962 	    uio->uio_resid > 0) {
963 		AUDIT_PIPE_LOCK_ASSERT(ap);
964 
965 		KASSERT(ape->ape_record_len > ap->ap_qoffset,
966 		    ("audit_pipe_read: record_len > qoffset (1)"));
967 		toread = MIN(ape->ape_record_len - ap->ap_qoffset,
968 		    uio->uio_resid);
969 		AUDIT_PIPE_UNLOCK(ap);
970 		error = uiomove((char *)ape->ape_record + ap->ap_qoffset,
971 		    toread, uio);
972 		if (error) {
973 			AUDIT_PIPE_SX_XUNLOCK(ap);
974 			return (error);
975 		}
976 
977 		/*
978 		 * If the copy succeeded, update book-keeping, and if no
979 		 * bytes remain in the current record, free it.
980 		 */
981 		AUDIT_PIPE_LOCK(ap);
982 		KASSERT(TAILQ_FIRST(&ap->ap_queue) == ape,
983 		    ("audit_pipe_read: queue out of sync after uiomove"));
984 		ap->ap_qoffset += toread;
985 		KASSERT(ape->ape_record_len >= ap->ap_qoffset,
986 		    ("audit_pipe_read: record_len >= qoffset (2)"));
987 		if (ap->ap_qoffset == ape->ape_record_len) {
988 			TAILQ_REMOVE(&ap->ap_queue, ape, ape_queue);
989 			ap->ap_qbyteslen -= ape->ape_record_len;
990 			audit_pipe_entry_free(ape);
991 			ap->ap_qlen--;
992 			ap->ap_qoffset = 0;
993 		}
994 	}
995 	AUDIT_PIPE_UNLOCK(ap);
996 	AUDIT_PIPE_SX_XUNLOCK(ap);
997 	return (0);
998 }
999 
1000 /*
1001  * Audit pipe poll.
1002  */
1003 static int
1004 audit_pipe_poll(struct cdev *dev, int events, struct thread *td)
1005 {
1006 	struct audit_pipe *ap;
1007 	int error, revents;
1008 
1009 	revents = 0;
1010 	error = devfs_get_cdevpriv((void **)&ap);
1011 	if (error != 0)
1012 		return (error);
1013 	if (events & (POLLIN | POLLRDNORM)) {
1014 		AUDIT_PIPE_LOCK(ap);
1015 		if (TAILQ_FIRST(&ap->ap_queue) != NULL)
1016 			revents |= events & (POLLIN | POLLRDNORM);
1017 		else
1018 			selrecord(td, &ap->ap_selinfo);
1019 		AUDIT_PIPE_UNLOCK(ap);
1020 	}
1021 	return (revents);
1022 }
1023 
1024 /*
1025  * Audit pipe kqfilter.
1026  */
1027 static int
1028 audit_pipe_kqfilter(struct cdev *dev, struct knote *kn)
1029 {
1030 	struct audit_pipe *ap;
1031 	int error;
1032 
1033 	error = devfs_get_cdevpriv((void **)&ap);
1034 	if (error != 0)
1035 		return (error);
1036 	if (kn->kn_filter != EVFILT_READ)
1037 		return (EINVAL);
1038 
1039 	kn->kn_fop = &audit_pipe_read_filterops;
1040 	kn->kn_hook = ap;
1041 
1042 	AUDIT_PIPE_LOCK(ap);
1043 	knlist_add(&ap->ap_selinfo.si_note, kn, 1);
1044 	AUDIT_PIPE_UNLOCK(ap);
1045 	return (0);
1046 }
1047 
1048 /*
1049  * Return true if there are records available for reading on the pipe.
1050  */
1051 static int
1052 audit_pipe_kqread(struct knote *kn, long hint)
1053 {
1054 	struct audit_pipe *ap;
1055 
1056 	ap = (struct audit_pipe *)kn->kn_hook;
1057 	AUDIT_PIPE_LOCK_ASSERT(ap);
1058 
1059 	if (ap->ap_qlen != 0) {
1060 		kn->kn_data = ap->ap_qbyteslen - ap->ap_qoffset;
1061 		return (1);
1062 	} else {
1063 		kn->kn_data = 0;
1064 		return (0);
1065 	}
1066 }
1067 
1068 /*
1069  * Detach kqueue state from audit pipe.
1070  */
1071 static void
1072 audit_pipe_kqdetach(struct knote *kn)
1073 {
1074 	struct audit_pipe *ap;
1075 
1076 	ap = (struct audit_pipe *)kn->kn_hook;
1077 	AUDIT_PIPE_LOCK(ap);
1078 	knlist_remove(&ap->ap_selinfo.si_note, kn, 1);
1079 	AUDIT_PIPE_UNLOCK(ap);
1080 }
1081 
1082 /*
1083  * Initialize the audit pipe system.
1084  */
1085 static void
1086 audit_pipe_init(void *unused)
1087 {
1088 
1089 	TAILQ_INIT(&audit_pipe_list);
1090 	AUDIT_PIPE_LIST_LOCK_INIT();
1091 	audit_pipe_dev = make_dev(&audit_pipe_cdevsw, 0, UID_ROOT,
1092 		GID_WHEEL, 0600, "%s", AUDIT_PIPE_NAME);
1093 	if (audit_pipe_dev == NULL) {
1094 		AUDIT_PIPE_LIST_LOCK_DESTROY();
1095 		panic("Can't initialize audit pipe subsystem");
1096 	}
1097 }
1098 
1099 SYSINIT(audit_pipe_init, SI_SUB_DRIVERS, SI_ORDER_MIDDLE, audit_pipe_init,
1100     NULL);
1101