1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 * 26 */ 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 /* 29 * Threads: 30 * 31 * auditd is thread 0 and does signal handling 32 * 33 * input() is a door server that receives binary audit records and 34 * queues them for handling by an instance of process() for conversion to syslog 35 * message(s). There is one process thread per plugin. 36 * 37 * Queues: 38 * 39 * Each plugin has a buffer pool and and queue for feeding the 40 * the process threads. The input thread moves buffers from the pool 41 * to the queue and the process thread puts them back. 42 * 43 * Another pool, b_pool, contains buffers referenced by each of the 44 * process queues; this is to minimize the number of buffer copies 45 * 46 */ 47 48 #include <arpa/inet.h> 49 #include <assert.h> 50 #include <bsm/adt.h> 51 #include <dlfcn.h> 52 #include <errno.h> 53 #include <fcntl.h> 54 #include <libintl.h> 55 #include <pthread.h> 56 #include <secdb.h> 57 #include <security/auditd.h> 58 #include <signal.h> 59 #include <stdio.h> 60 #include <stdlib.h> 61 #include <string.h> 62 #include <syslog.h> 63 #include <sys/socket.h> 64 #include <sys/types.h> 65 #include <sys/stat.h> 66 #include <unistd.h> 67 #include <audit_plugin.h> /* libbsm */ 68 #include "plugin.h" 69 #include <bsm/audit_door_infc.h> 70 #include "audit_sig_infc.h" 71 #include "queue.h" 72 73 #define DEBUG 0 74 75 #if DEBUG 76 77 static FILE *dbfp; 78 #define DUMP(w, x, y, z) dump_state(w, x, y, z) 79 #define DPRINT(x) {(void) fprintf x; } 80 81 #else 82 83 #define DUMP(w, x, y, z) 84 #define DPRINT(x) 85 86 #endif 87 88 #define FATAL_MESSAGE_LEN 256 89 90 #define MIN_RECORD_SIZE (size_t)25 91 92 #define INPUT_MIN 2 93 #define THRESHOLD_PCT 75 94 #define DEFAULT_BUF_SZ (size_t)250 95 #define BASE_PRIORITY 10 /* 0 - 20 valid for user, time share */ 96 #define HIGH_PRIORITY BASE_PRIORITY - 1 97 98 static thr_data_t in_thr; /* input thread locks and data */ 99 static int doorfd = -1; 100 101 static int largest_queue = INPUT_MIN; 102 static au_queue_t b_pool; 103 static int b_allocated = 0; 104 static pthread_mutex_t b_alloc_lock; 105 static pthread_mutex_t b_refcnt_lock; 106 107 static void input(void *, void *, int, door_desc_t *, int); 108 static void process(plugin_t *); 109 110 static audit_q_t *qpool_withdraw(plugin_t *); 111 static void qpool_init(plugin_t *, int); 112 static void qpool_return(plugin_t *, audit_q_t *); 113 static void qpool_close(plugin_t *); 114 115 static audit_rec_t *bpool_withdraw(char *, size_t, size_t); 116 static void bpool_init(); 117 static void bpool_return(audit_rec_t *); 118 119 /* 120 * warn_or_fatal() -- log daemon error and (optionally) exit 121 */ 122 static void 123 warn_or_fatal(int fatal, char *parting_shot) 124 { 125 char *severity; 126 char message[512]; 127 128 if (fatal) 129 severity = gettext("fatal error"); 130 else 131 severity = gettext("warning"); 132 133 (void) snprintf(message, 512, "%s: %s", severity, parting_shot); 134 135 __audit_syslog("auditd", LOG_PID | LOG_ODELAY | LOG_CONS, 136 LOG_DAEMON, LOG_ALERT, message); 137 138 DPRINT((dbfp, "auditd warn_or_fatal %s: %s\n", severity, parting_shot)); 139 if (fatal) 140 auditd_exit(1); 141 } 142 143 /* Internal to doorway.c errors... */ 144 #define INTERNAL_LOAD_ERROR -1 145 #define INTERNAL_SYS_ERROR -2 146 #define INTERNAL_CONFIG_ERROR -3 147 148 /* 149 * report_error -- handle errors returned by plugin 150 * 151 * rc is plugin's return code if it is a non-negative value, 152 * otherwise it is a doorway.c code about a plugin. 153 */ 154 static void 155 report_error(auditd_rc_t rc, char *error_text, char *plugin_path) 156 { 157 int warn = 0; 158 char rcbuf[100]; /* short error name string */ 159 char message[FATAL_MESSAGE_LEN]; 160 int bad_count = 0; 161 char *name; 162 char empty[] = ".."; 163 164 static int no_plug = 0; 165 static int no_load = 0; 166 static int no_thread; 167 static int no_memory = 0; 168 static int invalid = 0; 169 static int retry = 0; 170 static int fail = 0; 171 172 name = plugin_path; 173 if (error_text == NULL) 174 error_text = empty; 175 if (name == NULL) 176 name = empty; 177 178 switch (rc) { 179 case INTERNAL_LOAD_ERROR: 180 warn = 1; 181 bad_count = ++no_load; 182 (void) strcpy(rcbuf, "load_error"); 183 break; 184 case INTERNAL_SYS_ERROR: 185 warn = 1; 186 bad_count = ++no_thread; 187 (void) strcpy(rcbuf, "sys_error"); 188 break; 189 case INTERNAL_CONFIG_ERROR: 190 warn = 1; 191 bad_count = ++no_plug; 192 (void) strcpy(rcbuf, "config_error"); 193 name = strdup("--"); 194 break; 195 case AUDITD_SUCCESS: 196 break; 197 case AUDITD_NO_MEMORY: /* no_memory */ 198 warn = 1; 199 bad_count = ++no_memory; 200 (void) strcpy(rcbuf, "no_memory"); 201 break; 202 case AUDITD_INVALID: /* invalid */ 203 warn = 1; 204 bad_count = ++invalid; 205 (void) strcpy(rcbuf, "invalid"); 206 break; 207 case AUDITD_RETRY: 208 warn = 1; 209 bad_count = ++retry; 210 (void) strcpy(rcbuf, "retry"); 211 break; 212 case AUDITD_COMM_FAIL: /* comm_fail */ 213 (void) strcpy(rcbuf, "comm_fail"); 214 break; 215 case AUDITD_FATAL: /* failure */ 216 warn = 1; 217 bad_count = ++fail; 218 (void) strcpy(rcbuf, "failure"); 219 break; 220 default: 221 (void) strcpy(rcbuf, "error"); 222 break; 223 } 224 DPRINT((dbfp, "report_error(%d - %s): %s\n\t%s\n", 225 bad_count, name, rcbuf, error_text)); 226 if (warn) 227 __audit_dowarn2("plugin", name, rcbuf, error_text, bad_count); 228 else { 229 (void) snprintf(message, FATAL_MESSAGE_LEN, 230 gettext("audit plugin %s reported error = \"%s\": %s\n"), 231 name, rcbuf, error_text); 232 warn_or_fatal(0, message); 233 } 234 } 235 236 static size_t 237 getlen(char *buf) 238 { 239 adr_t adr; 240 char tokenid; 241 uint32_t len; 242 243 adr.adr_now = buf; 244 adr.adr_stream = buf; 245 246 adrm_char(&adr, &tokenid, 1); 247 if ((tokenid == AUT_OHEADER) || (tokenid == AUT_HEADER32) || 248 (tokenid == AUT_HEADER32_EX) || (tokenid == AUT_HEADER64) || 249 (tokenid == AUT_HEADER64_EX)) { 250 adrm_u_int32(&adr, &len, 1); 251 252 return (len); 253 } 254 DPRINT((dbfp, "getlen() is not looking at a header token\n")); 255 256 return (0); 257 } 258 259 /* 260 * load_function - call dlsym() to resolve the function address 261 */ 262 static int 263 load_function(plugin_t *p, char *name, auditd_rc_t (**func)()) 264 { 265 *func = (auditd_rc_t (*)())dlsym(p->plg_dlptr, name); 266 if (*func == NULL) { 267 char message[FATAL_MESSAGE_LEN]; 268 char *errmsg = dlerror(); 269 270 (void) snprintf(message, FATAL_MESSAGE_LEN, 271 gettext("dlsym failed %s: error %s"), 272 name, errmsg != NULL ? errmsg : gettext("Unknown error\n")); 273 274 warn_or_fatal(0, message); 275 return (-1); 276 } 277 return (0); 278 } 279 280 /* 281 * load the auditd plug in 282 */ 283 static int 284 load_plugin(plugin_t *p) 285 { 286 struct stat64 stat; 287 int fd; 288 int fail = 0; 289 290 /* 291 * Stat the file so we can check modes and ownerships 292 */ 293 if ((fd = open(p->plg_path, O_NONBLOCK | O_RDONLY)) != -1) { 294 if ((fstat64(fd, &stat) == -1) || (!S_ISREG(stat.st_mode))) 295 fail = 1; 296 } else 297 fail = 1; 298 if (fail) { 299 char message[FATAL_MESSAGE_LEN]; 300 301 (void) snprintf(message, FATAL_MESSAGE_LEN, 302 gettext("auditd plugin: stat(%s) failed: %s\n"), 303 p->plg_path, strerror(errno)); 304 305 warn_or_fatal(0, message); 306 return (-1); 307 } 308 /* 309 * Check the ownership of the file 310 */ 311 if (stat.st_uid != (uid_t)0) { 312 char message[FATAL_MESSAGE_LEN]; 313 314 (void) snprintf(message, FATAL_MESSAGE_LEN, 315 gettext( 316 "auditd plugin: Owner of the module %s is not root\n"), 317 p->plg_path); 318 319 warn_or_fatal(0, message); 320 return (-1); 321 } 322 /* 323 * Check the modes on the file 324 */ 325 if (stat.st_mode&S_IWGRP) { 326 char message[FATAL_MESSAGE_LEN]; 327 328 (void) snprintf(message, FATAL_MESSAGE_LEN, 329 gettext("auditd plugin: module %s writable by group\n"), 330 p->plg_path); 331 332 warn_or_fatal(0, message); 333 return (-1); 334 } 335 if (stat.st_mode&S_IWOTH) { 336 char message[FATAL_MESSAGE_LEN]; 337 338 (void) snprintf(message, FATAL_MESSAGE_LEN, 339 gettext("auditd plugin: module %s writable by world\n"), 340 p->plg_path); 341 342 warn_or_fatal(0, message); 343 return (-1); 344 } 345 /* 346 * Open the plugin 347 */ 348 p->plg_dlptr = dlopen(p->plg_path, RTLD_LAZY); 349 350 if (p->plg_dlptr == NULL) { 351 char message[FATAL_MESSAGE_LEN]; 352 char *errmsg = dlerror(); 353 354 (void) snprintf(message, FATAL_MESSAGE_LEN, 355 gettext("plugin load %s failed: %s\n"), 356 p->plg_path, errmsg != NULL ? errmsg : 357 gettext("Unknown error\n")); 358 359 warn_or_fatal(0, message); 360 return (-1); 361 } 362 if (load_function(p, "auditd_plugin", &(p->plg_fplugin))) 363 return (-1); 364 365 if (load_function(p, "auditd_plugin_open", &(p->plg_fplugin_open))) 366 return (-1); 367 368 if (load_function(p, "auditd_plugin_close", &(p->plg_fplugin_close))) 369 return (-1); 370 371 return (0); 372 } 373 374 /* 375 * unload_plugin() unlinks and frees the plugin_t structure after 376 * freeing buffers and structures that hang off it. It also dlcloses 377 * the referenced plugin. The return is the next entry, which may be NULL 378 * 379 * hold plugin_mutex for this call 380 */ 381 static plugin_t * 382 unload_plugin(plugin_t *p) 383 { 384 plugin_t *q, **r; 385 386 assert(pthread_mutex_trylock(&plugin_mutex) != 0); 387 388 DPRINT((dbfp, "unload_plugin: removing %s\n", p->plg_path)); 389 390 _kva_free(p->plg_kvlist); /* _kva_free accepts NULL */ 391 qpool_close(p); /* qpool_close accepts NULL pool, queue */ 392 DPRINT((dbfp, "unload_plugin: %s structure removed\n", p->plg_path)); 393 394 (void) dlclose(p->plg_dlptr); 395 396 DPRINT((dbfp, "unload_plugin: %s dlclosed\n", p->plg_path)); 397 free(p->plg_path); 398 399 (void) pthread_mutex_destroy(&(p->plg_mutex)); 400 (void) pthread_cond_destroy(&(p->plg_cv)); 401 402 q = plugin_head; 403 r = &plugin_head; 404 while (q != NULL) { 405 if (q == p) { 406 *r = p->plg_next; 407 free(p); 408 break; 409 } 410 r = &(q->plg_next); 411 q = q->plg_next; 412 } 413 return (*r); 414 } 415 416 /* 417 * process return values from plugin_open 418 * 419 * presently no attribute is defined. 420 */ 421 /* ARGSUSED */ 422 static void 423 open_return(plugin_t *p, char *attrval) 424 { 425 } 426 427 /* 428 * auditd_thread_init 429 * - create threads 430 * - load plugins 431 * 432 * auditd_thread_init is called at auditd startup with an initial list 433 * of plugins and again each time audit catches a AU_SIG_READ_CONTROL 434 * or AU_SIG_NEXT_DIR. 435 * 436 */ 437 int 438 auditd_thread_init() 439 { 440 int threshold; 441 auditd_rc_t rc; 442 plugin_t *p; 443 char *open_params; 444 char *error_string; 445 int plugin_count = 0; 446 static int threads_ready = 0; 447 448 if (!threads_ready) { 449 struct sched_param param; 450 #if DEBUG 451 dbfp = __auditd_debug_file_open(); 452 #endif 453 doorfd = door_create((void(*)())input, 0, 454 DOOR_REFUSE_DESC | DOOR_NO_CANCEL); 455 if (doorfd < 0) 456 return (1); /* can't create door -> fatal */ 457 458 param.sched_priority = BASE_PRIORITY; 459 (void) pthread_setschedparam(pthread_self(), SCHED_OTHER, 460 ¶m); 461 462 /* input door server */ 463 (void) pthread_mutex_init(&(in_thr.thd_mutex), NULL); 464 (void) pthread_cond_init(&(in_thr.thd_cv), NULL); 465 in_thr.thd_waiting = 0; 466 467 bpool_init(); 468 } 469 p = plugin_head; 470 while (p != NULL) { 471 if (p->plg_removed) { 472 DPRINT((dbfp, "start removing %s\n", p->plg_path)); 473 /* tell process(p) to exit and dlclose */ 474 (void) pthread_cond_signal(&(p->plg_cv)); 475 } else if (!p->plg_initialized) { 476 DPRINT((dbfp, "start initial load of %s\n", 477 p->plg_path)); 478 if (load_plugin(p)) { 479 report_error(INTERNAL_LOAD_ERROR, 480 gettext("dynamic load failed"), 481 p->plg_path); 482 p = unload_plugin(p); 483 continue; 484 } 485 open_params = NULL; 486 error_string = NULL; 487 if ((rc = p->plg_fplugin_open( 488 p->plg_kvlist, 489 &open_params, &error_string)) != AUDITD_SUCCESS) { 490 report_error(rc, error_string, p->plg_path); 491 free(error_string); 492 p = unload_plugin(p); 493 continue; 494 } 495 open_return(p, open_params); 496 p->plg_reopen = 0; 497 498 threshold = ((p->plg_qmax * THRESHOLD_PCT) + 99) / 100; 499 p->plg_qmin = INPUT_MIN; 500 501 DPRINT((dbfp, 502 "calling qpool_init for %s with qmax=%d\n", 503 p->plg_path, p->plg_qmax)); 504 505 qpool_init(p, threshold); 506 audit_queue_init(&(p->plg_queue)); 507 p->plg_initialized = 1; 508 509 (void) pthread_mutex_init(&(p->plg_mutex), NULL); 510 (void) pthread_cond_init(&(p->plg_cv), NULL); 511 p->plg_waiting = 0; 512 513 if (pthread_create(&(p->plg_tid), NULL, 514 (void *(*)(void *))process, p)) { 515 report_error(INTERNAL_SYS_ERROR, 516 gettext("thread creation failed"), 517 p->plg_path); 518 p = unload_plugin(p); 519 continue; 520 } 521 } else if (p->plg_reopen) { 522 DPRINT((dbfp, "reopen %s\n", p->plg_path)); 523 error_string = NULL; 524 if ((rc = p->plg_fplugin_open( 525 p->plg_kvlist, 526 &open_params, &error_string)) != AUDITD_SUCCESS) { 527 528 report_error(rc, error_string, p->plg_path); 529 free(error_string); 530 p = unload_plugin(p); 531 continue; 532 } 533 open_return(p, open_params); 534 p->plg_reopen = 0; 535 536 DPRINT((dbfp, "%s qmax=%d\n", 537 p->plg_path, p->plg_qmax)); 538 539 } 540 p->plg_q_threshold = ((p->plg_qmax * THRESHOLD_PCT) + 99) / 100; 541 542 p = p->plg_next; 543 plugin_count++; 544 } 545 if (plugin_count == 0) { 546 report_error(INTERNAL_CONFIG_ERROR, 547 gettext("No plugins are configured"), NULL); 548 return (-1); 549 } 550 if (!threads_ready) { 551 /* unleash the kernel */ 552 rc = auditdoor(doorfd); 553 554 DPRINT((dbfp, "%d returned from auditdoor.\n", 555 rc)); 556 if (rc != 0) 557 return (1); /* fatal */ 558 559 threads_ready = 1; 560 } 561 return (0); 562 } 563 564 /* 565 * Door invocations that are in progress during a 566 * door_revoke() invocation are allowed to complete normally. 567 * -- man page for door_revoke() 568 */ 569 void 570 auditd_thread_close() 571 { 572 if (doorfd == -1) 573 return; 574 (void) door_revoke(doorfd); 575 doorfd = -1; 576 } 577 578 /* 579 * qpool_init() sets up pool for queue entries (audit_q_t) 580 * 581 */ 582 static void 583 qpool_init(plugin_t *p, int threshold) 584 { 585 int i; 586 audit_q_t *node; 587 588 audit_queue_init(&(p->plg_pool)); 589 590 DPRINT((dbfp, "qpool_init(%d) max, min, threshhold = %d, %d, %d\n", 591 p->plg_tid, p->plg_qmax, p->plg_qmin, threshold)); 592 593 if (p->plg_qmax > largest_queue) 594 largest_queue = p->plg_qmax; 595 596 p->plg_q_threshold = threshold; 597 598 for (i = 0; i < p->plg_qmin; i++) { 599 node = malloc(sizeof (audit_q_t)); 600 if (node == NULL) 601 warn_or_fatal(1, gettext("no memory\n")); 602 /* doesn't return */ 603 604 audit_enqueue(&p->plg_pool, node); 605 } 606 } 607 608 /* 609 * bpool_init() sets up pool and queue for record entries (audit_rec_t) 610 * 611 */ 612 static void 613 bpool_init() 614 { 615 int i; 616 audit_rec_t *node; 617 618 audit_queue_init(&b_pool); 619 (void) pthread_mutex_init(&b_alloc_lock, NULL); 620 (void) pthread_mutex_init(&b_refcnt_lock, NULL); 621 622 for (i = 0; i < INPUT_MIN; i++) { 623 node = malloc(AUDIT_REC_HEADER + DEFAULT_BUF_SZ); 624 if (node == NULL) 625 warn_or_fatal(1, gettext("no memory\n")); 626 /* doesn't return */ 627 628 node->abq_buf_len = DEFAULT_BUF_SZ; 629 630 node->abq_data_len = 0; 631 audit_enqueue(&b_pool, node); 632 (void) pthread_mutex_lock(&b_alloc_lock); 633 b_allocated++; 634 (void) pthread_mutex_unlock(&b_alloc_lock); 635 } 636 } 637 638 /* 639 * qpool_close() discard queue and pool for a discontinued plugin 640 * 641 * there is no corresponding bpool_close() since it would only 642 * be called as auditd is going down. 643 */ 644 static void 645 qpool_close(plugin_t *p) { 646 audit_q_t *q_node; 647 audit_rec_t *b_node; 648 649 if (!p->plg_initialized) 650 return; 651 652 while (audit_dequeue(&(p->plg_pool), (void *)&q_node) == 0) { 653 free(q_node); 654 } 655 audit_queue_destroy(&(p->plg_pool)); 656 657 while (audit_dequeue(&(p->plg_queue), (void *)&q_node) == 0) { 658 b_node = audit_release(&b_refcnt_lock, q_node->aqq_data); 659 if (b_node != NULL) 660 audit_enqueue(&b_pool, b_node); 661 free(q_node); 662 } 663 audit_queue_destroy(&(p->plg_queue)); 664 } 665 666 /* 667 * qpool_withdraw 668 */ 669 static audit_q_t * 670 qpool_withdraw(plugin_t *p) 671 { 672 audit_q_t *node; 673 int rc; 674 675 /* get a buffer from the pool, if any */ 676 rc = audit_dequeue(&(p->plg_pool), (void *)&node); 677 if (rc == 0) 678 return (node); 679 680 /* 681 * the pool is empty: allocate a new element 682 */ 683 node = malloc(sizeof (audit_q_t)); 684 685 if (node == NULL) 686 warn_or_fatal(1, gettext("no memory\n")); 687 /* doesn't return */ 688 689 return (node); 690 } 691 692 /* 693 * bpool_withdraw -- gets a buffer and fills it 694 * 695 */ 696 static audit_rec_t * 697 bpool_withdraw(char *buffer, size_t buff_size, size_t request_size) 698 { 699 audit_rec_t *node; 700 int rc; 701 size_t new_length; 702 703 new_length = (request_size > DEFAULT_BUF_SZ) ? 704 request_size : DEFAULT_BUF_SZ; 705 706 /* get a buffer from the pool, if any */ 707 rc = audit_dequeue(&b_pool, (void *)&node); 708 709 DPRINT((dbfp, "bpool_withdraw buf length=%d," 710 " requested size=%d, dequeue rc=%d\n", 711 new_length, request_size, rc)); 712 713 if (rc == 0) { 714 DPRINT((dbfp, "bpool_withdraw node=%X (pool=%d)\n", node, 715 audit_queue_size(&b_pool))); 716 717 if (new_length > node->abq_buf_len) { 718 node = realloc(node, AUDIT_REC_HEADER + new_length); 719 if (node == NULL) 720 warn_or_fatal(1, gettext("no memory\n")); 721 /* no return */ 722 } 723 } else { 724 /* 725 * the pool is empty: allocate a new element 726 */ 727 (void) pthread_mutex_lock(&b_alloc_lock); 728 if (b_allocated >= largest_queue) { 729 (void) pthread_mutex_unlock(&b_alloc_lock); 730 DPRINT((dbfp, "bpool_withdraw is over max (pool=%d)\n", 731 audit_queue_size(&b_pool))); 732 return (NULL); 733 } 734 (void) pthread_mutex_unlock(&b_alloc_lock); 735 736 node = malloc(AUDIT_REC_HEADER + new_length); 737 738 if (node == NULL) 739 warn_or_fatal(1, gettext("no memory\n")); 740 /* no return */ 741 742 (void) pthread_mutex_lock(&b_alloc_lock); 743 b_allocated++; 744 (void) pthread_mutex_unlock(&b_alloc_lock); 745 DPRINT((dbfp, "bpool_withdraw node=%X (alloc=%d, pool=%d)\n", 746 node, b_allocated, audit_queue_size(&b_pool))); 747 } 748 assert(request_size <= new_length); 749 750 (void) memcpy(node->abq_buffer, buffer, buff_size); 751 node->abq_data_len = buff_size; 752 node->abq_buf_len = new_length; 753 node->abq_ref_count = 0; 754 755 return (node); 756 } 757 758 /* 759 * qpool_return() moves queue nodes back to the pool queue. 760 * 761 * if the pool is over max, the node is discarded instead. 762 */ 763 static void 764 qpool_return(plugin_t *p, audit_q_t *node) 765 { 766 int qpool_size; 767 int q_size; 768 769 #if DEBUG 770 uint32_t sequence = node->aqq_sequence; 771 #endif 772 qpool_size = audit_queue_size(&(p->plg_pool)); 773 q_size = audit_queue_size(&(p->plg_queue)); 774 775 if (qpool_size + q_size > p->plg_qmax) 776 free(node); 777 else 778 audit_enqueue(&(p->plg_pool), node); 779 780 DPRINT((dbfp, 781 "qpool_return(%d): seq=%d, q size=%d," 782 " pool size=%d (total alloc=%d), threshhold=%d\n", 783 p->plg_tid, sequence, q_size, qpool_size, 784 q_size + qpool_size, p->plg_q_threshold)); 785 } 786 787 /* 788 * bpool_return() moves queue nodes back to the pool queue. 789 */ 790 static void 791 bpool_return(audit_rec_t *node) 792 { 793 #if DEBUG 794 audit_rec_t *copy = node; 795 #endif 796 node = audit_release(&b_refcnt_lock, node); /* decrement ref cnt */ 797 798 if (node != NULL) { /* NULL if ref cnt is not zero */ 799 audit_enqueue(&b_pool, node); 800 DPRINT((dbfp, 801 "bpool_return: requeue %X (allocated=%d," 802 " pool size=%d)\n", node, b_allocated, 803 audit_queue_size(&b_pool))); 804 } 805 #if DEBUG 806 else { 807 DPRINT((dbfp, 808 "bpool_return: decrement count for %X (allocated=%d," 809 " pool size=%d)\n", copy, b_allocated, 810 audit_queue_size(&b_pool))); 811 } 812 #endif 813 } 814 815 #if DEBUG 816 static void 817 dump_state(char *src, plugin_t *p, int count, char *msg) 818 { 819 struct sched_param param; 820 int policy; 821 /* 822 * count is message sequence 823 */ 824 (void) pthread_getschedparam(p->plg_tid, &policy, ¶m); 825 (void) fprintf(dbfp, "%7s(%d/%d) %11s:" 826 " input_in_wait=%d" 827 " priority=%d" 828 " queue size=%d pool size=%d" 829 "\n\t" 830 "process wait=%d" 831 " tossed=%d" 832 " queued=%d" 833 " written=%d" 834 "\n", 835 src, p->plg_tid, count, msg, 836 in_thr.thd_waiting, param.sched_priority, 837 audit_queue_size(&(p->plg_queue)), 838 audit_queue_size(&(p->plg_pool)), 839 p->plg_waiting, p->plg_tossed, 840 p->plg_queued, p->plg_output); 841 842 (void) fflush(dbfp); 843 } 844 #endif 845 846 /* 847 * policy_is_block: return 1 if the continue policy is off for any active 848 * plugin, else 0 849 */ 850 static int 851 policy_is_block() 852 { 853 plugin_t *p; 854 855 (void) pthread_mutex_lock(&plugin_mutex); 856 p = plugin_head; 857 858 while (p != NULL) { 859 if (p->plg_cnt == 0) { 860 (void) pthread_mutex_unlock(&plugin_mutex); 861 DPRINT((dbfp, 862 "policy_is_block: policy is to block\n")); 863 return (1); 864 } 865 p = p->plg_next; 866 } 867 (void) pthread_mutex_unlock(&plugin_mutex); 868 DPRINT((dbfp, "policy_is_block: policy is to continue\n")); 869 return (0); 870 } 871 872 /* 873 * policy_update() -- the kernel has received a policy change. 874 * Presently, the only policy auditd cares about is AUDIT_CNT 875 */ 876 static void 877 policy_update(uint32_t newpolicy) 878 { 879 plugin_t *p; 880 881 DPRINT((dbfp, "policy change: %X\n", newpolicy)); 882 (void) pthread_mutex_lock(&plugin_mutex); 883 p = plugin_head; 884 while (p != NULL) { 885 p->plg_cnt = (newpolicy & AUDIT_CNT) ? 1 : 0; 886 (void) pthread_cond_signal(&(p->plg_cv)); 887 888 DPRINT((dbfp, "policy changed for thread %d\n", p->plg_tid)); 889 p = p->plg_next; 890 } 891 (void) pthread_mutex_unlock(&plugin_mutex); 892 } 893 894 /* 895 * queue_buffer() inputs a buffer and queues for each active plugin if 896 * it represents a complete audit record. Otherwise it builds a 897 * larger buffer to hold the record and take successive buffers from 898 * c2audit to build a complete record; then queues it for each plugin. 899 * 900 * return 0 if data is queued (or damaged and tossed). If resources 901 * are not available, return 0 if all active plugins have the cnt 902 * policy set, else 1. 0 is also returned if the input is a control 903 * message. (aub_buf is aligned on a 64 bit boundary, so casting 904 * it to an integer works just fine.) 905 */ 906 static int 907 queue_buffer(au_dbuf_t *kl) 908 { 909 plugin_t *p; 910 audit_rec_t *b_copy; 911 audit_q_t *q_copy; 912 boolean_t referenced = 0; 913 static char *invalid_msg = "invalid audit record discarded"; 914 static char *invalid_control = 915 "invalid audit control discarded"; 916 917 static audit_rec_t *alt_b_copy = NULL; 918 static size_t alt_length; 919 static size_t alt_offset; 920 921 /* 922 * the buffer may be a kernel -> auditd message. (only 923 * the policy change message exists so far.) 924 */ 925 926 if ((kl->aub_type & AU_DBUF_NOTIFY) != 0) { 927 uint32_t control; 928 929 control = kl->aub_type & ~AU_DBUF_NOTIFY; 930 switch (control) { 931 case AU_DBUF_POLICY: 932 /* LINTED */ 933 policy_update(*(uint32_t *)kl->aub_buf); 934 break; 935 case AU_DBUF_SHUTDOWN: 936 (void) kill(getpid(), AU_SIG_DISABLE); 937 DPRINT((dbfp, "AU_DBUF_SHUTDOWN message\n")); 938 break; 939 default: 940 warn_or_fatal(0, gettext(invalid_control)); 941 break; 942 } 943 return (0); 944 } 945 /* 946 * The test for valid continuation/completion may fail. Need to 947 * assume the failure was earlier and that this buffer may 948 * be a valid first or complete buffer after discarding the 949 * incomplete record 950 */ 951 952 if (alt_b_copy != NULL) { 953 if ((kl->aub_type == AU_DBUF_FIRST) || 954 (kl->aub_type == AU_DBUF_COMPLETE)) { 955 DPRINT((dbfp, "copy is not null, partial is %d\n", 956 kl->aub_type)); 957 bpool_return(alt_b_copy); 958 warn_or_fatal(0, gettext(invalid_msg)); 959 alt_b_copy = NULL; 960 } 961 } 962 if (alt_b_copy != NULL) { /* continue collecting a long record */ 963 if (kl->aub_size + alt_offset > alt_length) { 964 bpool_return(alt_b_copy); 965 alt_b_copy = NULL; 966 warn_or_fatal(0, gettext(invalid_msg)); 967 return (0); 968 } 969 (void) memcpy(alt_b_copy->abq_buffer + alt_offset, kl->aub_buf, 970 kl->aub_size); 971 alt_offset += kl->aub_size; 972 if (kl->aub_type == AU_DBUF_MIDDLE) 973 return (0); 974 b_copy = alt_b_copy; 975 alt_b_copy = NULL; 976 b_copy->abq_data_len = alt_length; 977 } else if (kl->aub_type == AU_DBUF_FIRST) { 978 /* first buffer of a multiple buffer record */ 979 alt_length = getlen(kl->aub_buf); 980 if ((alt_length < MIN_RECORD_SIZE) || 981 (alt_length <= kl->aub_size)) { 982 warn_or_fatal(0, gettext(invalid_msg)); 983 return (0); 984 } 985 alt_b_copy = bpool_withdraw(kl->aub_buf, kl->aub_size, 986 alt_length); 987 988 if (alt_b_copy == NULL) 989 return (policy_is_block()); 990 991 alt_offset = kl->aub_size; 992 return (0); 993 } else { /* one buffer, one record -- the basic case */ 994 if (kl->aub_type != AU_DBUF_COMPLETE) { 995 DPRINT((dbfp, "copy is null, partial is %d\n", 996 kl->aub_type)); 997 warn_or_fatal(0, gettext(invalid_msg)); 998 return (0); /* tossed */ 999 } 1000 b_copy = bpool_withdraw(kl->aub_buf, kl->aub_size, 1001 kl->aub_size); 1002 1003 if (b_copy == NULL) 1004 return (policy_is_block()); 1005 } 1006 1007 (void) pthread_mutex_lock(&plugin_mutex); 1008 p = plugin_head; 1009 while (p != NULL) { 1010 if (!p->plg_removed) { 1011 /* 1012 * Link the record buffer to the input queues. 1013 * To avoid a race, it is necessary to wait 1014 * until all reference count increments 1015 * are complete before queueing q_copy. 1016 */ 1017 audit_incr_ref(&b_refcnt_lock, b_copy); 1018 1019 q_copy = qpool_withdraw(p); 1020 q_copy->aqq_sequence = p->plg_sequence++; 1021 q_copy->aqq_data = b_copy; 1022 1023 p->plg_save_q_copy = q_copy; /* enqueue below */ 1024 referenced = 1; 1025 } else 1026 p->plg_save_q_copy = NULL; 1027 p = p->plg_next; 1028 } 1029 /* 1030 * now that the reference count is updated, queue it. 1031 */ 1032 if (referenced) { 1033 p = plugin_head; 1034 while ((p != NULL) && (p->plg_save_q_copy != NULL)) { 1035 audit_enqueue(&(p->plg_queue), p->plg_save_q_copy); 1036 (void) pthread_cond_signal(&(p->plg_cv)); 1037 p->plg_queued++; 1038 p = p->plg_next; 1039 } 1040 } else 1041 bpool_return(b_copy); 1042 1043 (void) pthread_mutex_unlock(&plugin_mutex); 1044 1045 return (0); 1046 } 1047 1048 /* 1049 * wait_a_while() -- timed wait in the door server to allow output 1050 * time to catch up. 1051 */ 1052 static void 1053 wait_a_while() { 1054 struct timespec delay = {0, 500000000}; /* 1/2 second */; 1055 1056 (void) pthread_mutex_lock(&(in_thr.thd_mutex)); 1057 in_thr.thd_waiting = 1; 1058 (void) pthread_cond_reltimedwait_np(&(in_thr.thd_cv), 1059 &(in_thr.thd_mutex), &delay); 1060 in_thr.thd_waiting = 0; 1061 (void) pthread_mutex_unlock(&(in_thr.thd_mutex)); 1062 } 1063 1064 /* 1065 * adjust_priority() -- check queue and pools and adjust the priority 1066 * for process() accordingly. If we're way ahead of output, do a 1067 * timed wait as well. 1068 */ 1069 static void 1070 adjust_priority() { 1071 int queue_near_full; 1072 plugin_t *p; 1073 int queue_size; 1074 struct sched_param param; 1075 1076 queue_near_full = 0; 1077 (void) pthread_mutex_lock(&plugin_mutex); 1078 p = plugin_head; 1079 while (p != NULL) { 1080 queue_size = audit_queue_size(&(p->plg_queue)); 1081 if (queue_size > p->plg_q_threshold) { 1082 if (p->plg_priority != HIGH_PRIORITY) { 1083 p->plg_priority = 1084 param.sched_priority = 1085 HIGH_PRIORITY; 1086 (void) pthread_setschedparam(p->plg_tid, 1087 SCHED_OTHER, ¶m); 1088 } 1089 if (queue_size > p->plg_qmax - p->plg_qmin) { 1090 queue_near_full = 1; 1091 break; 1092 } 1093 } 1094 p = p->plg_next; 1095 } 1096 (void) pthread_mutex_unlock(&plugin_mutex); 1097 1098 if (queue_near_full) { 1099 DPRINT((dbfp, 1100 "adjust_priority: input taking a short break\n")); 1101 wait_a_while(); 1102 DPRINT((dbfp, 1103 "adjust_priority: input back from my break\n")); 1104 } 1105 } 1106 1107 /* 1108 * input() is a door server; it blocks if any plugins have full queues 1109 * with the continue policy off. (auditconfig -policy -cnt) 1110 * 1111 * input() is called synchronously from c2audit and is NOT 1112 * reentrant due to the (unprotected) static variables in 1113 * queue_buffer(). If multiple clients are created, a context 1114 * structure will be required for queue_buffer. 1115 * 1116 * timedwait is used when input() gets too far ahead of process(); 1117 * the wait terminates either when the set time expires or when 1118 * process() signals that it has nearly caught up. 1119 */ 1120 /* ARGSUSED */ 1121 static void 1122 input(void *cookie, void *argp, int arg_size, door_desc_t *dp, 1123 int n_descriptors) 1124 { 1125 int is_blocked; 1126 plugin_t *p; 1127 #if DEBUG 1128 int loop_count = 0; 1129 static int call_counter = 0; 1130 #endif 1131 if (argp == NULL) { 1132 warn_or_fatal(0, 1133 gettext("invalid data received from c2audit\n")); 1134 goto input_exit; 1135 } 1136 DPRINT((dbfp, "%d input new buffer: length=%u, " 1137 "partial=%u, arg_size=%d\n", 1138 ++call_counter, ((au_dbuf_t *)argp)->aub_size, 1139 ((au_dbuf_t *)argp)->aub_type, arg_size)); 1140 1141 if (((au_dbuf_t *)argp)->aub_size < 1) { 1142 warn_or_fatal(0, 1143 gettext("invalid data length received from c2audit\n")); 1144 goto input_exit; 1145 } 1146 /* 1147 * is_blocked is true only if one or more plugins have "no 1148 * continue" (-cnt) set and one of those has a full queue. 1149 * All plugins block until success is met. 1150 */ 1151 for (;;) { 1152 DPRINT((dbfp, "%d input is calling queue_buffer\n", 1153 call_counter)); 1154 1155 is_blocked = queue_buffer((au_dbuf_t *)argp); 1156 1157 if (!is_blocked) { 1158 adjust_priority(); 1159 break; 1160 } else { 1161 DPRINT((dbfp, 1162 "%d input blocked (loop=%d)\n", 1163 call_counter, loop_count)); 1164 1165 wait_a_while(); 1166 1167 DPRINT((dbfp, "%d input unblocked (loop=%d)\n", 1168 call_counter, loop_count)); 1169 } 1170 #if DEBUG 1171 loop_count++; 1172 #endif 1173 } 1174 input_exit: 1175 p = plugin_head; 1176 while (p != NULL) { 1177 (void) pthread_cond_signal(&(p->plg_cv)); 1178 p = p->plg_next; 1179 } 1180 ((au_dbuf_t *)argp)->aub_size = 0; /* return code */ 1181 (void) door_return(argp, sizeof (uint64_t), NULL, 0); 1182 } 1183 1184 /* 1185 * process() -- pass a buffer to a plugin 1186 */ 1187 static void 1188 process(plugin_t *p) 1189 { 1190 int rc; 1191 audit_rec_t *b_node; 1192 audit_q_t *q_node; 1193 auditd_rc_t plugrc; 1194 char *error_string; 1195 struct timespec delay; 1196 int sendsignal; 1197 int queue_len; 1198 struct sched_param param; 1199 1200 DPRINT((dbfp, "%s is thread %d\n", p->plg_path, p->plg_tid)); 1201 p->plg_priority = param.sched_priority = BASE_PRIORITY; 1202 (void) pthread_setschedparam(p->plg_tid, SCHED_OTHER, ¶m); 1203 1204 delay.tv_nsec = 0; 1205 1206 for (;;) { 1207 retry_mode: 1208 1209 while (audit_dequeue(&(p->plg_queue), (void *)&q_node) != 0) { 1210 DUMP("process", p, p->plg_last_seq_out, "blocked"); 1211 (void) pthread_cond_signal(&(in_thr.thd_cv)); 1212 1213 (void) pthread_mutex_lock(&(p->plg_mutex)); 1214 p->plg_waiting++; 1215 (void) pthread_cond_wait(&(p->plg_cv), 1216 &(p->plg_mutex)); 1217 p->plg_waiting--; 1218 (void) pthread_mutex_unlock(&(p->plg_mutex)); 1219 1220 if (p->plg_removed) 1221 break; 1222 1223 DUMP("process", p, p->plg_last_seq_out, "unblocked"); 1224 } 1225 if (p->plg_removed) 1226 break; 1227 #if DEBUG 1228 if (q_node->aqq_sequence != p->plg_last_seq_out + 1) 1229 (void) fprintf(dbfp, 1230 "process(%d): buffer sequence=%u but prev=%u\n", 1231 p->plg_tid, q_node->aqq_sequence, 1232 p->plg_last_seq_out); 1233 #endif 1234 error_string = NULL; 1235 1236 b_node = q_node->aqq_data; 1237 plugrc = p->plg_fplugin(b_node->abq_buffer, 1238 b_node->abq_data_len, 1239 q_node->aqq_sequence, &error_string); 1240 #if DEBUG 1241 p->plg_last_seq_out = q_node->aqq_sequence; 1242 #endif 1243 switch (plugrc) { 1244 case AUDITD_RETRY: 1245 report_error(plugrc, error_string, p->plg_path); 1246 free(error_string); 1247 error_string = NULL; 1248 1249 DPRINT((dbfp, "process(%d) AUDITD_RETRY returned." 1250 " cnt=%d (if 1, enter retry)\n", 1251 p->plg_tid, p->plg_cnt)); 1252 1253 if (p->plg_cnt) /* if cnt is on, lose the buffer */ 1254 break; 1255 1256 delay.tv_sec = p->plg_retry_time; 1257 (void) pthread_mutex_lock(&(p->plg_mutex)); 1258 p->plg_waiting++; 1259 (void) pthread_cond_reltimedwait_np(&(p->plg_cv), 1260 &(p->plg_mutex), &delay); 1261 p->plg_waiting--; 1262 (void) pthread_mutex_unlock(&(p->plg_mutex)); 1263 1264 DPRINT((dbfp, "left retry mode for %d\n", p->plg_tid)); 1265 goto retry_mode; 1266 1267 case AUDITD_SUCCESS: 1268 p->plg_output++; 1269 break; 1270 default: 1271 report_error(plugrc, error_string, p->plg_path); 1272 free(error_string); 1273 error_string = NULL; 1274 break; 1275 } /* end switch */ 1276 bpool_return(b_node); 1277 qpool_return(p, q_node); 1278 1279 sendsignal = 0; 1280 queue_len = audit_queue_size(&(p->plg_queue)); 1281 1282 (void) pthread_mutex_lock(&(in_thr.thd_mutex)); 1283 if (in_thr.thd_waiting && (queue_len > p->plg_qmin) && 1284 (queue_len < p->plg_q_threshold)) 1285 sendsignal = 1; 1286 1287 (void) pthread_mutex_unlock(&(in_thr.thd_mutex)); 1288 1289 if (sendsignal) { 1290 (void) pthread_cond_signal(&(in_thr.thd_cv)); 1291 /* 1292 * sched_yield(); does not help 1293 * performance and in artificial tests 1294 * (high sustained volume) appears to 1295 * hurt by adding wide variability in 1296 * the results. 1297 */ 1298 } else if ((p->plg_priority < BASE_PRIORITY) && 1299 (queue_len < p->plg_q_threshold)) { 1300 p->plg_priority = param.sched_priority = 1301 BASE_PRIORITY; 1302 (void) pthread_setschedparam(p->plg_tid, SCHED_OTHER, 1303 ¶m); 1304 } 1305 } /* end for (;;) */ 1306 DUMP("process", p, p->plg_last_seq_out, "exit"); 1307 error_string = NULL; 1308 if ((rc = p->plg_fplugin_close(&error_string)) != 1309 AUDITD_SUCCESS) 1310 report_error(rc, error_string, p->plg_path); 1311 1312 free(error_string); 1313 1314 (void) pthread_mutex_lock(&plugin_mutex); 1315 (void) unload_plugin(p); 1316 (void) pthread_mutex_unlock(&plugin_mutex); 1317 } 1318