[apple/security.git] / securityd / dtrace / securityd-watch.d

#!/usr/sbin/dtrace -q -s


/*
 * Tracking state
 */
typedef uint32_t DTPort;
typedef uint64_t DTHandle;

DTHandle portmap[DTPort];				/* map client reply ports to connections */

struct connection {
	DTPort replyport;		/* reply port for client thread */
	uint32_t client;		/* client object for this connection */
};
struct connection connection[DTHandle];	/* indexed by connection handle */

/* should be a single self struct, but that doesn't work right... */
self string reqName;		/* request name */
self DTHandle reqConnection; /* associated connection */
self DTHandle reqClient;	/* associated client */

struct client {
	pid_t pid;				/* original client pid */
	DTHandle session;		/* session handle */
	string name;			/* abbreviated name */
	string path;			/* path to client process (regardless of guests) */
	DTPort  taskport;		/* process task port */
};
struct client client[DTHandle];			/* indexed by client handle */

struct keychain {
	string name;			/* keychain path */
};
struct keychain keychain[DTHandle];		/* indexed by DbCommon handle */


/*
 * Script management
 */
:::BEGIN
{
	/* fake data for unknown processes */
	client[0].pid = 0;
	client[0].session = 0;
	client[0].name = "*UNKNOWN*";
	client[0].path = "*UNKNOWN*";

	printf("Ready...\n");
}


/*
 * Translate thread id
 */
uint32_t threads[DTHandle];	/* map tids to simple thread numbers */
uint32_t nextThread;		/* next unused thread number */
self uint32_t mytid;		/* translated tid */

securityd*::: /!threads[tid]/ { threads[tid] = ++nextThread; }
security_debug*::: /!threads[tid]/ { threads[tid] = ++nextThread; }

securityd*::: { self->mytid = threads[tid]; }
security_debug*::: { self->mytid = threads[tid]; }


/*
 * Principal events
 */
securityd*:::installmode
{
	printf("%u SYSTEM INSTALLATION MODE SELECTED\n", timestamp);
}

securityd*:::initialized
{
	printf("%u COMMENCING SERVICE as %s\n", timestamp, copyinstr(arg0));
}


/*
 * Client management
 */
securityd*:::client-connection-new
{
	replymap[arg1] = arg0;
	self->reqClient = arg2;
	connection[arg0].client = self->reqClient;
	self->reqConnection = arg0;
	@total["Connections"] = count();
	printf("%u T%d:connection-new(<%x>,port=%d,client=<%x>/%s(%d))\n",
		timestamp, self->mytid, arg0, arg1,
		arg2, client[arg2].name, client[arg2].pid);
}

securityd*:::client-connection-release
/connection[arg0].client/
{
	printf("%u T%d:connection-release(<%x>,client=<%x>/%s(%d))\n",
		timestamp, self->mytid, arg0,
		connection[arg0].client,
		client[connection[arg0].client].name,
		client[connection[arg0].client].pid);
	replymap[connection[arg0].replyport] = 0;		/* clear from port map */
	connection[arg0].replyport = 0;
	connection[arg0].client = 0;
}

securityd*:::client-new
{
	client[arg0].pid = arg1;
	client[arg0].session = arg2;
    client[arg0].path = copyinstr(arg3);
	client[arg0].name = basename(client[arg0].path);
	client[arg0].taskport = arg4;
	self->reqClient = arg0;
	@total["Processes"] = count();
    printf("%u T%d:client-new(<%x>,%s(%d),session=<%x>,task=%d)\n",
        timestamp, self->mytid, arg0,
		client[arg0].path, client[arg0].pid,
		client[arg0].session, client[arg0].taskport);
}

securityd*:::client-release
{
    printf("%u T%d:client-release(<%x>,%s(%d))\n",
		timestamp, self->mytid, arg0, client[arg0].path, arg1);
	client[arg0].pid = 0;
}

securityd*:::client-change_session
{
    printf("%u T%d:client-change_session(<%x>,new session=<%x>)\n",
		timestamp, self->mytid, arg0, arg1);
	client[arg0].pid = 0;
}


/*
 * Client requests
 */
uint32_t connections[DTHandle];
uint32_t nextConnection;
self uint32_t myConnection;

securityd*:::request-entry
/!connections[arg1]/
{ connections[arg1] = ++nextConnection; }

securityd*:::request-entry
{
	self->reqName = copyinstr(arg0);
	self->reqConnection = arg1;
	self->myConnection = connections[arg1];
	self->reqClient = arg2;
	this->client = client[self->reqClient];
}

securityd*:::request-entry
/this->client.pid/
{
	printf("%u T%d:C%d:%s(%d)%s\n",
		timestamp, self->mytid, self->myConnection, this->client.name, this->client.pid, self->reqName);
	@request[client[self->reqClient].name, self->reqName] = count();
}

securityd*:::request-entry
/!this->client.pid/
{
	printf("%u T%d:C%d:%s\n",
		timestamp, self->mytid, self->myConnection, self->reqName);
}

securityd*:::request-entry
{
	@requests[self->reqName] = count();
	@total["Requests"] = count();
}

securityd*:::request-return
/self->reqConnection && arg0 == 0/
{
	printf("%u T%d:C%d:return\n",
		timestamp, self->mytid, self->myConnection);
}

securityd*:::request-return
/self->reqConnection && arg0 != 0/
{
	printf("%u T%d:C%d:FAIL(%d)\n",
		timestamp, self->mytid, self->myConnection, arg0);
}

securityd*:::request-return
{
	self->reqConnection = 0;
	self->reqClient = 0;
}


/*
 * Sessions
 */
typedef uint32_t SessionId;

struct Session {
	DTHandle handle;
	SessionId sessionid;
};
struct Session session[SessionId];

struct xauditinfo {
	uint32_t	ai_auid;		/* audit user id */
	struct {
		unsigned int low;
		unsigned int high;
	} ai_mask;
	struct {
		uint32_t dev;
		uint32_t type;
		uint32_t addr[4];
	} ai_termid;
	au_asid_t ai_asid;		/* audit session id */
	au_asflgs_t ai_flags;	/* audit session flags */
};
self struct xauditinfo *ai;

securityd*:::session-create
{
	session[arg1].handle = arg0;
	session[arg1].sessionid = arg1;
	self->ai = copyin(arg2, sizeof(struct xauditinfo));
	printf("%u T%d:%s(<%x>,id=%d,uid=%d,flags=%#x)\n", timestamp, self->mytid, probename,
		arg0, arg1, self->ai->ai_auid, self->ai->ai_flags);
}

securityd*:::session-kill
{
	printf("%u T%d:%s(<%x>,id=%d)\n", timestamp, self->mytid, probename, arg0, arg1);
}

securityd*:::session-destroy
{
	printf("%u T%d:%s(<%x>,id=%d)\n", timestamp, self->mytid, probename, arg0, arg1);
}

securityd*:::session-notify
{
	printf("%u T%d:%s(<%x>,id=%d,events=0x%x,uid=%d)\n", timestamp, self->mytid, probename,
		session[arg0].handle, arg0, arg1, arg2);
}


/*
 * Keychains
 */
securityd*:::keychain-*
{
	this->path = copyinstr(arg1);
	printf("%u T%d:%s(<%x>,%s)\n", timestamp, self->mytid, probename, arg0, this->path);
	@keychain[this->path, probename] = count();
}


/*
 * Low-level port events
 */
securityd*:::ports-*
{
	printf("%u T%d:%s(%d)\n", timestamp, self->mytid, probename, arg0);
}


/*
 * Code signing
 */
securityd*:::guest-create
{
	printf("%u T%d:guest-create(<%x>,host=<%x>,guest=<%x>,status=0x%x,flags=0x%x,path=%s)\n",
		timestamp, self->mytid, arg0, arg1, arg2, arg3, arg4, copyinstr(arg5));
	@total["Guests"] = count();
}

securityd*:::guest-change
{
	printf("%u T%d:guest-change(<%x>,<%x>,status=0x%x)\n", timestamp, self->mytid, arg0, arg1, arg2);
}

securityd*:::guest-destroy
{
	printf("%u T%d:guest-destroy(<%x>,<%x>)\n", timestamp, self->mytid, arg0, arg1);
}

securityd*:::host-register,
securityd*:::host-proxy
{
	printf("%u T%d:%s(<%x>,port=%d)\n", timestamp, self->mytid, probename, arg0, arg1);
	@total["Hosts"] = count();
}

securityd*:::host-unregister
{
	printf("%u T%d:host-unregister(<%x>)\n", timestamp, self->mytid, arg0);
}


/*
 * Child management
 */
securityd*:::child-*
{
	printf("%u T%d:%s(%d,%d)\n", timestamp, self->mytid, probename, arg0, arg1);
}


/*
 * Power events
 */
securityd*:::power-*
{
	printf("%u T%d:POWER(%s)\n", timestamp, self->mytid, probename);
}


/*
 * Authorization
 */
securityd*:::auth-create
{
    printf("%u T%d:%s ref(%#x) session(%#x)\n", timestamp, self->mytid, probename, arg1, arg0);
}

securityd*:::auth-allow,
securityd*:::auth-deny,
securityd*:::auth-user,
securityd*:::auth-rules,
securityd*:::auth-kofn,
securityd*:::auth-mechrule
{
    printf("%u T%d:%s ref(%#x) rule(%s)\n", timestamp, self->mytid, probename, arg0, copyinstr(arg1));
}

securityd*:::auth-mech
{
    printf("%u T%d:%s ref(%#x) (%s)\n", timestamp, self->mytid, probename, arg0, copyinstr(arg1));
}

securityd*:::auth-user-allowroot,
securityd*:::auth-user-allowsessionowner
{
    printf("%u T%d:%s ref(%#x)\n", timestamp, self->mytid, probename, arg0);
}

securityd*:::auth-evalright
{
    printf("%u T%d:%s ref(%#x) %s (%d)\n", timestamp, self->mytid, probename, arg0, copyinstr(arg1), arg2);
}


/*
 * Miscellanea
 */
securityd*:::entropy-collect
{
	printf("%u T%d:entropy-collect()\n", timestamp, tid);
}

securityd*:::entropy-seed
{
	printf("%u T%d:entropy-seed(%d)\n", timestamp, self->mytid, arg0);
}

securityd*:::entropy-save
{
	printf("%u T%d:entropy-save(%s)\n", timestamp, self->mytid, copyinstr(arg0));
}

securityd*:::signal-*
{
	printf("%u T%d:%s(%d)\n", timestamp, self->mytid, probename, arg0);
}


/*
 * Integrate secdebug logs
 */
security_debug*:::log
/execname == "securityd"/
{
	printf("%u T%d:[%s]%s\n", timestamp, threads[tid],
		copyinstr(arg0), copyinstr(arg1));
}

security_exception*:::throw-*
/execname == "securityd"/
{
	printf("%u T%d:EXCEPTION(%p) THROWN %s(%d)\n", timestamp, threads[tid],
		arg0, probename, arg1);
}


/*
 * Wrapup
 */
:::END
{
	printa("%@8u %s\n", @total);
	printf("\n         Requests:\n");
	printa("%@8u %s\n", @requests);
	printf("\n         Requests by client:\n");
	printa("%@8u %s:%s\n", @request);
	printf("\n         Keychains by path and operation:\n");
	printa("%@8u %s(%s)\n", @keychain);
}
Commit	Line	Data
d8f41ccd A	1	#!/usr/sbin/dtrace -q -s
	2
	3
	4
	5	/*
	6	* Tracking state
	7	*/
	8	typedef uint32_t DTPort;
	9	typedef uint64_t DTHandle;
	10
	11	DTHandle portmap[DTPort]; /* map client reply ports to connections */
	12
	13	struct connection {
	14	DTPort replyport; /* reply port for client thread */
	15	uint32_t client; /* client object for this connection */
	16	};
	17	struct connection connection[DTHandle]; /* indexed by connection handle */
	18
	19	/* should be a single self struct, but that doesn't work right... */
	20	self string reqName; /* request name */
	21	self DTHandle reqConnection; /* associated connection */
	22	self DTHandle reqClient; /* associated client */
	23
	24	struct client {
	25	pid_t pid; /* original client pid */
	26	DTHandle session; /* session handle */
	27	string name; /* abbreviated name */
	28	string path; /* path to client process (regardless of guests) */
	29	DTPort taskport; /* process task port */
	30	};
	31	struct client client[DTHandle]; /* indexed by client handle */
	32
	33	struct keychain {
	34	string name; /* keychain path */
	35	};
	36	struct keychain keychain[DTHandle]; /* indexed by DbCommon handle */
	37
	38
	39	/*
	40	* Script management
	41	*/
	42	:::BEGIN
	43	{
	44	/* fake data for unknown processes */
	45	client[0].pid = 0;
	46	client[0].session = 0;
	47	client[0].name = "UNKNOWN";
	48	client[0].path = "UNKNOWN";
	49
	50	printf("Ready...\n");
	51	}
	52
	53
	54	/*
	55	* Translate thread id
	56	*/
	57	uint32_t threads[DTHandle]; /* map tids to simple thread numbers */
	58	uint32_t nextThread; /* next unused thread number */
	59	self uint32_t mytid; /* translated tid */
	60
	61	securityd*::: /!threads[tid]/ { threads[tid] = ++nextThread; }
	62	security_debug*::: /!threads[tid]/ { threads[tid] = ++nextThread; }
	63
	64	securityd*::: { self->mytid = threads[tid]; }
65	security_debug*::: { self->mytid = threads[tid]; }
66
67
68	/*
69	* Principal events
70	*/
71	securityd*:::installmode
72	{
73	printf("%u SYSTEM INSTALLATION MODE SELECTED\n", timestamp);
74	}
75
76	securityd*:::initialized
77	{
78	printf("%u COMMENCING SERVICE as %s\n", timestamp, copyinstr(arg0));
79	}
80
81
82	/*
83	* Client management
84	*/
85	securityd*:::client-connection-new
86	{
87	replymap[arg1] = arg0;
88	self->reqClient = arg2;
89	connection[arg0].client = self->reqClient;
90	self->reqConnection = arg0;
91	@total["Connections"] = count();
92	printf("%u T%d:connection-new(<%x>,port=%d,client=<%x>/%s(%d))\n",
93	timestamp, self->mytid, arg0, arg1,
94	arg2, client[arg2].name, client[arg2].pid);
95	}
96
97	securityd*:::client-connection-release
98	/connection[arg0].client/
99	{
100	printf("%u T%d:connection-release(<%x>,client=<%x>/%s(%d))\n",
101	timestamp, self->mytid, arg0,
102	connection[arg0].client,
103	client[connection[arg0].client].name,
104	client[connection[arg0].client].pid);
105	replymap[connection[arg0].replyport] = 0; /* clear from port map */
106	connection[arg0].replyport = 0;
107	connection[arg0].client = 0;
108	}
109
110	securityd*:::client-new
111	{
112	client[arg0].pid = arg1;
113	client[arg0].session = arg2;
114	client[arg0].path = copyinstr(arg3);
115	client[arg0].name = basename(client[arg0].path);
116	client[arg0].taskport = arg4;
117	self->reqClient = arg0;
118	@total["Processes"] = count();
119	printf("%u T%d:client-new(<%x>,%s(%d),session=<%x>,task=%d)\n",
120	timestamp, self->mytid, arg0,
121	client[arg0].path, client[arg0].pid,
122	client[arg0].session, client[arg0].taskport);
123	}
124
125	securityd*:::client-release
126	{
127	printf("%u T%d:client-release(<%x>,%s(%d))\n",
128	timestamp, self->mytid, arg0, client[arg0].path, arg1);
129	client[arg0].pid = 0;
130	}
131
132	securityd*:::client-change_session
133	{
134	printf("%u T%d:client-change_session(<%x>,new session=<%x>)\n",
135	timestamp, self->mytid, arg0, arg1);
136	client[arg0].pid = 0;
137	}
138
139
140	/*
141	* Client requests
142	*/
143	uint32_t connections[DTHandle];
144	uint32_t nextConnection;
145	self uint32_t myConnection;
146
147	securityd*:::request-entry
148	/!connections[arg1]/
149	{ connections[arg1] = ++nextConnection; }
150
151	securityd*:::request-entry
152	{
153	self->reqName = copyinstr(arg0);
154	self->reqConnection = arg1;
155	self->myConnection = connections[arg1];
156	self->reqClient = arg2;
157	this->client = client[self->reqClient];
158	}
159
160	securityd*:::request-entry
161	/this->client.pid/
162	{
163	printf("%u T%d:C%d:%s(%d)%s\n",
164	timestamp, self->mytid, self->myConnection, this->client.name, this->client.pid, self->reqName);
165	@request[client[self->reqClient].name, self->reqName] = count();
166	}
167
168	securityd*:::request-entry
169	/!this->client.pid/
170	{
171	printf("%u T%d:C%d:%s\n",
172	timestamp, self->mytid, self->myConnection, self->reqName);
173	}
174
175	securityd*:::request-entry
176	{
177	@requests[self->reqName] = count();
178	@total["Requests"] = count();
179	}
180
181	securityd*:::request-return
182	/self->reqConnection && arg0 == 0/
183	{
184	printf("%u T%d:C%d:return\n",
185	timestamp, self->mytid, self->myConnection);
186	}
187
188	securityd*:::request-return
189	/self->reqConnection && arg0 != 0/
190	{
191	printf("%u T%d:C%d:FAIL(%d)\n",
192	timestamp, self->mytid, self->myConnection, arg0);
193	}
194
195	securityd*:::request-return
196	{
197	self->reqConnection = 0;
198	self->reqClient = 0;
199	}
200
201
202	/*
203	* Sessions
204	*/
205	typedef uint32_t SessionId;
206
207	struct Session {
208	DTHandle handle;
209	SessionId sessionid;
210	};
211	struct Session session[SessionId];
212
213	struct xauditinfo {
214	uint32_t ai_auid; /* audit user id */
215	struct {
216	unsigned int low;
217	unsigned int high;
218	} ai_mask;
219	struct {
220	uint32_t dev;
221	uint32_t type;
222	uint32_t addr[4];
223	} ai_termid;
224	au_asid_t ai_asid; /* audit session id */
225	au_asflgs_t ai_flags; /* audit session flags */
226	};
227	self struct xauditinfo *ai;
228
229	securityd*:::session-create
230	{
231	session[arg1].handle = arg0;
232	session[arg1].sessionid = arg1;
233	self->ai = copyin(arg2, sizeof(struct xauditinfo));
234	printf("%u T%d:%s(<%x>,id=%d,uid=%d,flags=%#x)\n", timestamp, self->mytid, probename,
235	arg0, arg1, self->ai->ai_auid, self->ai->ai_flags);
236	}
237
238	securityd*:::session-kill
239	{
240	printf("%u T%d:%s(<%x>,id=%d)\n", timestamp, self->mytid, probename, arg0, arg1);
241	}
242
243	securityd*:::session-destroy
244	{
245	printf("%u T%d:%s(<%x>,id=%d)\n", timestamp, self->mytid, probename, arg0, arg1);
246	}
247
248	securityd*:::session-notify
249	{
250	printf("%u T%d:%s(<%x>,id=%d,events=0x%x,uid=%d)\n", timestamp, self->mytid, probename,
251	session[arg0].handle, arg0, arg1, arg2);
252	}
253
254
255	/*
256	* Keychains
257	*/
258	securityd:::keychain-
259	{
260	this->path = copyinstr(arg1);
261	printf("%u T%d:%s(<%x>,%s)\n", timestamp, self->mytid, probename, arg0, this->path);
262	@keychain[this->path, probename] = count();
263	}
264
265
266	/*
267	* Low-level port events
268	*/
269	securityd:::ports-
270	{
271	printf("%u T%d:%s(%d)\n", timestamp, self->mytid, probename, arg0);
272	}
273
274
275	/*
276	* Code signing
277	*/
278	securityd*:::guest-create
279	{
280	printf("%u T%d:guest-create(<%x>,host=<%x>,guest=<%x>,status=0x%x,flags=0x%x,path=%s)\n",
281	timestamp, self->mytid, arg0, arg1, arg2, arg3, arg4, copyinstr(arg5));
282	@total["Guests"] = count();
283	}
284
285	securityd*:::guest-change
286	{
287	printf("%u T%d:guest-change(<%x>,<%x>,status=0x%x)\n", timestamp, self->mytid, arg0, arg1, arg2);
288	}
289
290	securityd*:::guest-destroy
291	{
292	printf("%u T%d:guest-destroy(<%x>,<%x>)\n", timestamp, self->mytid, arg0, arg1);
293	}
294
295	securityd*:::host-register,
296	securityd*:::host-proxy
297	{
298	printf("%u T%d:%s(<%x>,port=%d)\n", timestamp, self->mytid, probename, arg0, arg1);
299	@total["Hosts"] = count();
300	}
301
302	securityd*:::host-unregister
303	{
304	printf("%u T%d:host-unregister(<%x>)\n", timestamp, self->mytid, arg0);
305	}
306
307
308	/*
309	* Child management
310	*/
311	securityd:::child-
312	{
313	printf("%u T%d:%s(%d,%d)\n", timestamp, self->mytid, probename, arg0, arg1);
314	}
315
316
317	/*
318	* Power events
319	*/
320	securityd:::power-
321	{
322	printf("%u T%d:POWER(%s)\n", timestamp, self->mytid, probename);
323	}
324
325
326	/*
327	* Authorization
328	*/
329	securityd*:::auth-create
330	{
331	printf("%u T%d:%s ref(%#x) session(%#x)\n", timestamp, self->mytid, probename, arg1, arg0);
332	}
333
334	securityd*:::auth-allow,
335	securityd*:::auth-deny,
336	securityd*:::auth-user,
337	securityd*:::auth-rules,
338	securityd*:::auth-kofn,
339	securityd*:::auth-mechrule
340	{
341	printf("%u T%d:%s ref(%#x) rule(%s)\n", timestamp, self->mytid, probename, arg0, copyinstr(arg1));
342	}
343
344	securityd*:::auth-mech
345	{
346	printf("%u T%d:%s ref(%#x) (%s)\n", timestamp, self->mytid, probename, arg0, copyinstr(arg1));
347	}
348
349	securityd*:::auth-user-allowroot,
350	securityd*:::auth-user-allowsessionowner
351	{
352	printf("%u T%d:%s ref(%#x)\n", timestamp, self->mytid, probename, arg0);
353	}
354
355	securityd*:::auth-evalright
356	{
357	printf("%u T%d:%s ref(%#x) %s (%d)\n", timestamp, self->mytid, probename, arg0, copyinstr(arg1), arg2);
358	}
359
360
361	/*
362	* Miscellanea
363	*/
364	securityd*:::entropy-collect
365	{
366	printf("%u T%d:entropy-collect()\n", timestamp, tid);
367	}
368
369	securityd*:::entropy-seed
370	{
371	printf("%u T%d:entropy-seed(%d)\n", timestamp, self->mytid, arg0);
372	}
373
374	securityd*:::entropy-save
375	{
376	printf("%u T%d:entropy-save(%s)\n", timestamp, self->mytid, copyinstr(arg0));
377	}
378
379	securityd:::signal-
380	{
381	printf("%u T%d:%s(%d)\n", timestamp, self->mytid, probename, arg0);
382	}
383
384
385	/*
386	* Integrate secdebug logs
387	*/
388	security_debug*:::log
389	/execname == "securityd"/
390	{
391	printf("%u T%d:[%s]%s\n", timestamp, threads[tid],
392	copyinstr(arg0), copyinstr(arg1));
393	}
394
395	security_exception:::throw-
396	/execname == "securityd"/
397	{
398	printf("%u T%d:EXCEPTION(%p) THROWN %s(%d)\n", timestamp, threads[tid],
399	arg0, probename, arg1);
400	}
401
402
403	/*
404	* Wrapup
405	*/
406	:::END
407	{
408	printa("%@8u %s\n", @total);
409	printf("\n Requests:\n");
410	printa("%@8u %s\n", @requests);
411	printf("\n Requests by client:\n");
412	printa("%@8u %s:%s\n", @request);
413	printf("\n Keychains by path and operation:\n");
414	printa("%@8u %s(%s)\n", @keychain);
415	}