]> git.saurik.com Git - apple/security.git/blob - securityd/dtrace/securityd-watch.d
Security-59306.101.1.tar.gz
[apple/security.git] / securityd / dtrace / securityd-watch.d
1 #!/usr/sbin/dtrace -q -s
2
3
4
5 /*
6 * Tracking state
7 */
8 typedef uint32_t DTPort;
9 typedef uint64_t DTHandle;
10
11 DTHandle portmap[DTPort]; /* map client reply ports to connections */
12
13 struct connection {
14 DTPort replyport; /* reply port for client thread */
15 uint32_t client; /* client object for this connection */
16 };
17 struct connection connection[DTHandle]; /* indexed by connection handle */
18
19 /* should be a single self struct, but that doesn't work right... */
20 self string reqName; /* request name */
21 self DTHandle reqConnection; /* associated connection */
22 self DTHandle reqClient; /* associated client */
23
24 struct client {
25 pid_t pid; /* original client pid */
26 DTHandle session; /* session handle */
27 string name; /* abbreviated name */
28 string path; /* path to client process (regardless of guests) */
29 DTPort taskport; /* process task port */
30 };
31 struct client client[DTHandle]; /* indexed by client handle */
32
33 struct keychain {
34 string name; /* keychain path */
35 };
36 struct keychain keychain[DTHandle]; /* indexed by DbCommon handle */
37
38
39 /*
40 * Script management
41 */
42 :::BEGIN
43 {
44 /* fake data for unknown processes */
45 client[0].pid = 0;
46 client[0].session = 0;
47 client[0].name = "*UNKNOWN*";
48 client[0].path = "*UNKNOWN*";
49
50 printf("Ready...\n");
51 }
52
53
54 /*
55 * Translate thread id
56 */
57 uint32_t threads[DTHandle]; /* map tids to simple thread numbers */
58 uint32_t nextThread; /* next unused thread number */
59 self uint32_t mytid; /* translated tid */
60
61 securityd*::: /!threads[tid]/ { threads[tid] = ++nextThread; }
62 security_debug*::: /!threads[tid]/ { threads[tid] = ++nextThread; }
63
64 securityd*::: { self->mytid = threads[tid]; }
65 security_debug*::: { self->mytid = threads[tid]; }
66
67
68 /*
69 * Principal events
70 */
71 securityd*:::installmode
72 {
73 printf("%u SYSTEM INSTALLATION MODE SELECTED\n", timestamp);
74 }
75
76 securityd*:::initialized
77 {
78 printf("%u COMMENCING SERVICE as %s\n", timestamp, copyinstr(arg0));
79 }
80
81
82 /*
83 * Client management
84 */
85 securityd*:::client-connection-new
86 {
87 replymap[arg1] = arg0;
88 self->reqClient = arg2;
89 connection[arg0].client = self->reqClient;
90 self->reqConnection = arg0;
91 @total["Connections"] = count();
92 printf("%u T%d:connection-new(<%x>,port=%d,client=<%x>/%s(%d))\n",
93 timestamp, self->mytid, arg0, arg1,
94 arg2, client[arg2].name, client[arg2].pid);
95 }
96
97 securityd*:::client-connection-release
98 /connection[arg0].client/
99 {
100 printf("%u T%d:connection-release(<%x>,client=<%x>/%s(%d))\n",
101 timestamp, self->mytid, arg0,
102 connection[arg0].client,
103 client[connection[arg0].client].name,
104 client[connection[arg0].client].pid);
105 replymap[connection[arg0].replyport] = 0; /* clear from port map */
106 connection[arg0].replyport = 0;
107 connection[arg0].client = 0;
108 }
109
110 securityd*:::client-new
111 {
112 client[arg0].pid = arg1;
113 client[arg0].session = arg2;
114 client[arg0].path = copyinstr(arg3);
115 client[arg0].name = basename(client[arg0].path);
116 client[arg0].taskport = arg4;
117 self->reqClient = arg0;
118 @total["Processes"] = count();
119 printf("%u T%d:client-new(<%x>,%s(%d),session=<%x>,task=%d)\n",
120 timestamp, self->mytid, arg0,
121 client[arg0].path, client[arg0].pid,
122 client[arg0].session, client[arg0].taskport);
123 }
124
125 securityd*:::client-release
126 {
127 printf("%u T%d:client-release(<%x>,%s(%d))\n",
128 timestamp, self->mytid, arg0, client[arg0].path, arg1);
129 client[arg0].pid = 0;
130 }
131
132 securityd*:::client-change_session
133 {
134 printf("%u T%d:client-change_session(<%x>,new session=<%x>)\n",
135 timestamp, self->mytid, arg0, arg1);
136 client[arg0].pid = 0;
137 }
138
139
140 /*
141 * Client requests
142 */
143 uint32_t connections[DTHandle];
144 uint32_t nextConnection;
145 self uint32_t myConnection;
146
147 securityd*:::request-entry
148 /!connections[arg1]/
149 { connections[arg1] = ++nextConnection; }
150
151 securityd*:::request-entry
152 {
153 self->reqName = copyinstr(arg0);
154 self->reqConnection = arg1;
155 self->myConnection = connections[arg1];
156 self->reqClient = arg2;
157 this->client = client[self->reqClient];
158 }
159
160 securityd*:::request-entry
161 /this->client.pid/
162 {
163 printf("%u T%d:C%d:%s(%d)%s\n",
164 timestamp, self->mytid, self->myConnection, this->client.name, this->client.pid, self->reqName);
165 @request[client[self->reqClient].name, self->reqName] = count();
166 }
167
168 securityd*:::request-entry
169 /!this->client.pid/
170 {
171 printf("%u T%d:C%d:%s\n",
172 timestamp, self->mytid, self->myConnection, self->reqName);
173 }
174
175 securityd*:::request-entry
176 {
177 @requests[self->reqName] = count();
178 @total["Requests"] = count();
179 }
180
181 securityd*:::request-return
182 /self->reqConnection && arg0 == 0/
183 {
184 printf("%u T%d:C%d:return\n",
185 timestamp, self->mytid, self->myConnection);
186 }
187
188 securityd*:::request-return
189 /self->reqConnection && arg0 != 0/
190 {
191 printf("%u T%d:C%d:FAIL(%d)\n",
192 timestamp, self->mytid, self->myConnection, arg0);
193 }
194
195 securityd*:::request-return
196 {
197 self->reqConnection = 0;
198 self->reqClient = 0;
199 }
200
201
202 /*
203 * Sessions
204 */
205 typedef uint32_t SessionId;
206
207 struct Session {
208 DTHandle handle;
209 SessionId sessionid;
210 };
211 struct Session session[SessionId];
212
213 struct xauditinfo {
214 uint32_t ai_auid; /* audit user id */
215 struct {
216 unsigned int low;
217 unsigned int high;
218 } ai_mask;
219 struct {
220 uint32_t dev;
221 uint32_t type;
222 uint32_t addr[4];
223 } ai_termid;
224 au_asid_t ai_asid; /* audit session id */
225 au_asflgs_t ai_flags; /* audit session flags */
226 };
227 self struct xauditinfo *ai;
228
229 securityd*:::session-create
230 {
231 session[arg1].handle = arg0;
232 session[arg1].sessionid = arg1;
233 self->ai = copyin(arg2, sizeof(struct xauditinfo));
234 printf("%u T%d:%s(<%x>,id=%d,uid=%d,flags=%#x)\n", timestamp, self->mytid, probename,
235 arg0, arg1, self->ai->ai_auid, self->ai->ai_flags);
236 }
237
238 securityd*:::session-kill
239 {
240 printf("%u T%d:%s(<%x>,id=%d)\n", timestamp, self->mytid, probename, arg0, arg1);
241 }
242
243 securityd*:::session-destroy
244 {
245 printf("%u T%d:%s(<%x>,id=%d)\n", timestamp, self->mytid, probename, arg0, arg1);
246 }
247
248 securityd*:::session-notify
249 {
250 printf("%u T%d:%s(<%x>,id=%d,events=0x%x,uid=%d)\n", timestamp, self->mytid, probename,
251 session[arg0].handle, arg0, arg1, arg2);
252 }
253
254
255 /*
256 * Keychains
257 */
258 securityd*:::keychain-*
259 {
260 this->path = copyinstr(arg1);
261 printf("%u T%d:%s(<%x>,%s)\n", timestamp, self->mytid, probename, arg0, this->path);
262 @keychain[this->path, probename] = count();
263 }
264
265
266 /*
267 * Low-level port events
268 */
269 securityd*:::ports-*
270 {
271 printf("%u T%d:%s(%d)\n", timestamp, self->mytid, probename, arg0);
272 }
273
274
275 /*
276 * Code signing
277 */
278 securityd*:::guest-create
279 {
280 printf("%u T%d:guest-create(<%x>,host=<%x>,guest=<%x>,status=0x%x,flags=0x%x,path=%s)\n",
281 timestamp, self->mytid, arg0, arg1, arg2, arg3, arg4, copyinstr(arg5));
282 @total["Guests"] = count();
283 }
284
285 securityd*:::guest-change
286 {
287 printf("%u T%d:guest-change(<%x>,<%x>,status=0x%x)\n", timestamp, self->mytid, arg0, arg1, arg2);
288 }
289
290 securityd*:::guest-destroy
291 {
292 printf("%u T%d:guest-destroy(<%x>,<%x>)\n", timestamp, self->mytid, arg0, arg1);
293 }
294
295 securityd*:::host-register,
296 securityd*:::host-proxy
297 {
298 printf("%u T%d:%s(<%x>,port=%d)\n", timestamp, self->mytid, probename, arg0, arg1);
299 @total["Hosts"] = count();
300 }
301
302 securityd*:::host-unregister
303 {
304 printf("%u T%d:host-unregister(<%x>)\n", timestamp, self->mytid, arg0);
305 }
306
307
308 /*
309 * Child management
310 */
311 securityd*:::child-*
312 {
313 printf("%u T%d:%s(%d,%d)\n", timestamp, self->mytid, probename, arg0, arg1);
314 }
315
316
317 /*
318 * Power events
319 */
320 securityd*:::power-*
321 {
322 printf("%u T%d:POWER(%s)\n", timestamp, self->mytid, probename);
323 }
324
325
326 /*
327 * Authorization
328 */
329 securityd*:::auth-create
330 {
331 printf("%u T%d:%s ref(%#x) session(%#x)\n", timestamp, self->mytid, probename, arg1, arg0);
332 }
333
334 securityd*:::auth-allow,
335 securityd*:::auth-deny,
336 securityd*:::auth-user,
337 securityd*:::auth-rules,
338 securityd*:::auth-kofn,
339 securityd*:::auth-mechrule
340 {
341 printf("%u T%d:%s ref(%#x) rule(%s)\n", timestamp, self->mytid, probename, arg0, copyinstr(arg1));
342 }
343
344 securityd*:::auth-mech
345 {
346 printf("%u T%d:%s ref(%#x) (%s)\n", timestamp, self->mytid, probename, arg0, copyinstr(arg1));
347 }
348
349 securityd*:::auth-user-allowroot,
350 securityd*:::auth-user-allowsessionowner
351 {
352 printf("%u T%d:%s ref(%#x)\n", timestamp, self->mytid, probename, arg0);
353 }
354
355 securityd*:::auth-evalright
356 {
357 printf("%u T%d:%s ref(%#x) %s (%d)\n", timestamp, self->mytid, probename, arg0, copyinstr(arg1), arg2);
358 }
359
360
361 /*
362 * Miscellanea
363 */
364 securityd*:::entropy-collect
365 {
366 printf("%u T%d:entropy-collect()\n", timestamp, tid);
367 }
368
369 securityd*:::entropy-seed
370 {
371 printf("%u T%d:entropy-seed(%d)\n", timestamp, self->mytid, arg0);
372 }
373
374 securityd*:::entropy-save
375 {
376 printf("%u T%d:entropy-save(%s)\n", timestamp, self->mytid, copyinstr(arg0));
377 }
378
379 securityd*:::signal-*
380 {
381 printf("%u T%d:%s(%d)\n", timestamp, self->mytid, probename, arg0);
382 }
383
384
385 /*
386 * Integrate secdebug logs
387 */
388 security_debug*:::log
389 /execname == "securityd"/
390 {
391 printf("%u T%d:[%s]%s\n", timestamp, threads[tid],
392 copyinstr(arg0), copyinstr(arg1));
393 }
394
395 security_exception*:::throw-*
396 /execname == "securityd"/
397 {
398 printf("%u T%d:EXCEPTION(%p) THROWN %s(%d)\n", timestamp, threads[tid],
399 arg0, probename, arg1);
400 }
401
402
403 /*
404 * Wrapup
405 */
406 :::END
407 {
408 printa("%@8u %s\n", @total);
409 printf("\n Requests:\n");
410 printa("%@8u %s\n", @requests);
411 printf("\n Requests by client:\n");
412 printa("%@8u %s:%s\n", @request);
413 printf("\n Keychains by path and operation:\n");
414 printa("%@8u %s(%s)\n", @keychain);
415 }