]> git.saurik.com Git - apple/xnu.git/blob - bsd/security/audit/audit_pipe.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-2422.115.4.tar.gz
[apple/xnu.git] / bsd / security / audit / audit_pipe.c
1 /*-
2 * Copyright (c) 2006 Robert N. M. Watson
3 * Copyright (c) 2008-2009 Apple, Inc.
4 * All rights reserved.
5 *
6 * This software was developed by Robert Watson for the TrustedBSD Project.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 */
29
30 #include <stdarg.h>
31 #include <sys/param.h>
32 #include <sys/systm.h>
33 #include <sys/kernel.h>
34 #include <sys/fcntl.h>
35 #include <sys/conf.h>
36 #include <sys/poll.h>
37 #include <sys/user.h>
38 #include <sys/signalvar.h>
39 #include <miscfs/devfs/devfs.h>
40
41 #include <bsm/audit.h>
42 #include <security/audit/audit.h>
43 #include <security/audit/audit_ioctl.h>
44 #include <security/audit/audit_bsd.h>
45 #include <security/audit/audit_private.h>
46
47 #if CONFIG_AUDIT
48 /*
49 * Implementation of a clonable special device providing a live stream of BSM
50 * audit data. Consumers receive a "tee" of the system audit trail by
51 * default, but may also define alternative event selections using ioctls.
52 * This interface provides unreliable but timely access to audit events.
53 * Consumers should be very careful to avoid introducing event cycles.
54 */
55
56 /*
57 * Memory types.
58 */
59 static MALLOC_DEFINE(M_AUDIT_PIPE, "audit_pipe", "Audit pipes");
60 static MALLOC_DEFINE(M_AUDIT_PIPE_ENTRY, "audit_pipeent",
61 "Audit pipe entries and buffers");
62 static MALLOC_DEFINE(M_AUDIT_PIPE_PRESELECT, "audit_pipe_presel",
63 "Audit pipe preselection structure");
64
65 /*
66 * Audit pipe buffer parameters.
67 */
68 #define AUDIT_PIPE_QLIMIT_DEFAULT (128)
69 #define AUDIT_PIPE_QLIMIT_MIN (1)
70 #define AUDIT_PIPE_QLIMIT_MAX (1024)
71
72 /*
73 * Description of an entry in an audit_pipe.
74 */
75 struct audit_pipe_entry {
76 void *ape_record;
77 u_int ape_record_len;
78 TAILQ_ENTRY(audit_pipe_entry) ape_queue;
79 };
80
81 /*
82 * Audit pipes allow processes to express "interest" in the set of records
83 * that are delivered via the pipe. They do this in a similar manner to the
84 * mechanism for audit trail configuration, by expressing two global masks,
85 * and optionally expressing per-auid masks. The following data structure is
86 * the per-auid mask description. The global state is stored in the audit
87 * pipe data structure.
88 *
89 * We may want to consider a more space/time-efficient data structure once
90 * usage patterns for per-auid specifications are clear.
91 */
92 struct audit_pipe_preselect {
93 au_id_t app_auid;
94 au_mask_t app_mask;
95 TAILQ_ENTRY(audit_pipe_preselect) app_list;
96 };
97
98 /*
99 * Description of an individual audit_pipe. Consists largely of a bounded
100 * length queue.
101 */
102 #define AUDIT_PIPE_ASYNC 0x00000001
103 #define AUDIT_PIPE_NBIO 0x00000002
104 struct audit_pipe {
105 int ap_open; /* Device open? */
106 u_int ap_flags;
107
108 struct selinfo ap_selinfo;
109 pid_t ap_sigio;
110
111 /*
112 * Per-pipe mutex protecting most fields in this data structure.
113 */
114 struct mtx ap_mtx;
115
116 /*
117 * Per-pipe sleep lock serializing user-generated reads and flushes.
118 * uiomove() is called to copy out the current head record's data
119 * while the record remains in the queue, so we prevent other threads
120 * from removing it using this lock.
121 */
122 struct slck ap_sx;
123
124 /*
125 * Condition variable to signal when data has been delivered to a
126 * pipe.
127 */
128 struct cv ap_cv;
129
130 /*
131 * Various queue-related variables: qlen and qlimit are a count of
132 * records in the queue; qbyteslen is the number of bytes of data
133 * across all records, and qoffset is the amount read so far of the
134 * first record in the queue. The number of bytes available for
135 * reading in the queue is qbyteslen - qoffset.
136 */
137 u_int ap_qlen;
138 u_int ap_qlimit;
139 u_int ap_qbyteslen;
140 u_int ap_qoffset;
141
142 /*
143 * Per-pipe operation statistics.
144 */
145 u_int64_t ap_inserts; /* Records added. */
146 u_int64_t ap_reads; /* Records read. */
147 u_int64_t ap_drops; /* Records dropped. */
148
149 /*
150 * Fields relating to pipe interest: global masks for unmatched
151 * processes (attributable, non-attributable), and a list of specific
152 * interest specifications by auid.
153 */
154 int ap_preselect_mode;
155 au_mask_t ap_preselect_flags;
156 au_mask_t ap_preselect_naflags;
157 TAILQ_HEAD(, audit_pipe_preselect) ap_preselect_list;
158
159 /*
160 * Current pending record list. Protected by a combination of ap_mtx
161 * and ap_sx. Note particularly that *both* locks are required to
162 * remove a record from the head of the queue, as an in-progress read
163 * may sleep while copying and therefore cannot hold ap_mtx.
164 */
165 TAILQ_HEAD(, audit_pipe_entry) ap_queue;
166
167 /*
168 * Global pipe list.
169 */
170 TAILQ_ENTRY(audit_pipe) ap_list;
171 };
172
173 #define AUDIT_PIPE_LOCK(ap) mtx_lock(&(ap)->ap_mtx)
174 #define AUDIT_PIPE_LOCK_ASSERT(ap) mtx_assert(&(ap)->ap_mtx, MA_OWNED)
175 #define AUDIT_PIPE_LOCK_DESTROY(ap) mtx_destroy(&(ap)->ap_mtx)
176 #define AUDIT_PIPE_LOCK_INIT(ap) mtx_init(&(ap)->ap_mtx, \
177 "audit_pipe_mtx", NULL, MTX_DEF)
178 #define AUDIT_PIPE_UNLOCK(ap) mtx_unlock(&(ap)->ap_mtx)
179 #define AUDIT_PIPE_MTX(ap) (&(ap)->ap_mtx)
180
181 #define AUDIT_PIPE_SX_LOCK_DESTROY(ap) slck_destroy(&(ap)->ap_sx)
182 #define AUDIT_PIPE_SX_LOCK_INIT(ap) slck_init(&(ap)->ap_sx, "audit_pipe_sx")
183 #define AUDIT_PIPE_SX_XLOCK_ASSERT(ap) slck_assert(&(ap)->ap_sx, SA_XLOCKED)
184 #define AUDIT_PIPE_SX_XLOCK_SIG(ap) slck_lock_sig(&(ap)->ap_sx)
185 #define AUDIT_PIPE_SX_XUNLOCK(ap) slck_unlock(&(ap)->ap_sx)
186
187
188 /*
189 * Global list of audit pipes, rwlock to protect it. Individual record
190 * queues on pipes are protected by per-pipe locks; these locks synchronize
191 * between threads walking the list to deliver to individual pipes and add/
192 * remove of pipes, and are mostly acquired for read.
193 */
194 static TAILQ_HEAD(, audit_pipe) audit_pipe_list;
195 static struct rwlock audit_pipe_lock;
196
197 #define AUDIT_PIPE_LIST_LOCK_INIT() rw_init(&audit_pipe_lock, \
198 "audit_pipe_list_lock")
199 #define AUDIT_PIPE_LIST_RLOCK() rw_rlock(&audit_pipe_lock)
200 #define AUDIT_PIPE_LIST_RUNLOCK() rw_runlock(&audit_pipe_lock)
201 #define AUDIT_PIPE_LIST_WLOCK() rw_wlock(&audit_pipe_lock)
202 #define AUDIT_PIPE_LIST_WLOCK_ASSERT() rw_assert(&audit_pipe_lock, \
203 RA_WLOCKED)
204 #define AUDIT_PIPE_LIST_WUNLOCK() rw_wunlock(&audit_pipe_lock)
205
206 /*
207 * Cloning related variables and constants.
208 */
209 #define AUDIT_PIPE_NAME "auditpipe"
210 #define MAX_AUDIT_PIPES 32
211 static int audit_pipe_major;
212
213 /*
214 * dev_t doesn't have a pointer for "softc" data. So we have to keep track of
215 * it with the following global array (indexed by the minor number).
216 *
217 * XXX We may want to dynamically grow this as needed.
218 */
219 static struct audit_pipe *audit_pipe_dtab[MAX_AUDIT_PIPES];
220
221
222 /*
223 * Special device methods and definition.
224 */
225 static open_close_fcn_t audit_pipe_open;
226 static open_close_fcn_t audit_pipe_close;
227 static read_write_fcn_t audit_pipe_read;
228 static ioctl_fcn_t audit_pipe_ioctl;
229 static select_fcn_t audit_pipe_poll;
230
231 static struct cdevsw audit_pipe_cdevsw = {
232 .d_open = audit_pipe_open,
233 .d_close = audit_pipe_close,
234 .d_read = audit_pipe_read,
235 .d_write = eno_rdwrt,
236 .d_ioctl = audit_pipe_ioctl,
237 .d_stop = eno_stop,
238 .d_reset = eno_reset,
239 .d_ttys = NULL,
240 .d_select = audit_pipe_poll,
241 .d_mmap = eno_mmap,
242 .d_strategy = eno_strat,
243 .d_type = 0
244 };
245
246 /*
247 * Some global statistics on audit pipes.
248 */
249 static int audit_pipe_count; /* Current number of pipes. */
250 static u_int64_t audit_pipe_ever; /* Pipes ever allocated. */
251 static u_int64_t audit_pipe_records; /* Records seen. */
252 static u_int64_t audit_pipe_drops; /* Global record drop count. */
253
254 /*
255 * Free an audit pipe entry.
256 */
257 static void
258 audit_pipe_entry_free(struct audit_pipe_entry *ape)
259 {
260
261 free(ape->ape_record, M_AUDIT_PIPE_ENTRY);
262 free(ape, M_AUDIT_PIPE_ENTRY);
263 }
264
265 /*
266 * Find an audit pipe preselection specification for an auid, if any.
267 */
268 static struct audit_pipe_preselect *
269 audit_pipe_preselect_find(struct audit_pipe *ap, au_id_t auid)
270 {
271 struct audit_pipe_preselect *app;
272
273 AUDIT_PIPE_LOCK_ASSERT(ap);
274
275 TAILQ_FOREACH(app, &ap->ap_preselect_list, app_list) {
276 if (app->app_auid == auid)
277 return (app);
278 }
279 return (NULL);
280 }
281
282 /*
283 * Query the per-pipe mask for a specific auid.
284 */
285 static int
286 audit_pipe_preselect_get(struct audit_pipe *ap, au_id_t auid,
287 au_mask_t *maskp)
288 {
289 struct audit_pipe_preselect *app;
290 int error;
291
292 AUDIT_PIPE_LOCK(ap);
293 app = audit_pipe_preselect_find(ap, auid);
294 if (app != NULL) {
295 *maskp = app->app_mask;
296 error = 0;
297 } else
298 error = ENOENT;
299 AUDIT_PIPE_UNLOCK(ap);
300 return (error);
301 }
302
303 /*
304 * Set the per-pipe mask for a specific auid. Add a new entry if needed;
305 * otherwise, update the current entry.
306 */
307 static void
308 audit_pipe_preselect_set(struct audit_pipe *ap, au_id_t auid, au_mask_t mask)
309 {
310 struct audit_pipe_preselect *app, *app_new;
311
312 /*
313 * Pessimistically assume that the auid doesn't already have a mask
314 * set, and allocate. We will free it if it is unneeded.
315 */
316 app_new = malloc(sizeof(*app_new), M_AUDIT_PIPE_PRESELECT, M_WAITOK);
317 AUDIT_PIPE_LOCK(ap);
318 app = audit_pipe_preselect_find(ap, auid);
319 if (app == NULL) {
320 app = app_new;
321 app_new = NULL;
322 app->app_auid = auid;
323 TAILQ_INSERT_TAIL(&ap->ap_preselect_list, app, app_list);
324 }
325 app->app_mask = mask;
326 AUDIT_PIPE_UNLOCK(ap);
327 if (app_new != NULL)
328 free(app_new, M_AUDIT_PIPE_PRESELECT);
329 }
330
331 /*
332 * Delete a per-auid mask on an audit pipe.
333 */
334 static int
335 audit_pipe_preselect_delete(struct audit_pipe *ap, au_id_t auid)
336 {
337 struct audit_pipe_preselect *app;
338 int error;
339
340 AUDIT_PIPE_LOCK(ap);
341 app = audit_pipe_preselect_find(ap, auid);
342 if (app != NULL) {
343 TAILQ_REMOVE(&ap->ap_preselect_list, app, app_list);
344 error = 0;
345 } else
346 error = ENOENT;
347 AUDIT_PIPE_UNLOCK(ap);
348 if (app != NULL)
349 free(app, M_AUDIT_PIPE_PRESELECT);
350 return (error);
351 }
352
353 /*
354 * Delete all per-auid masks on an audit pipe.
355 */
356 static void
357 audit_pipe_preselect_flush_locked(struct audit_pipe *ap)
358 {
359 struct audit_pipe_preselect *app;
360
361 AUDIT_PIPE_LOCK_ASSERT(ap);
362
363 while ((app = TAILQ_FIRST(&ap->ap_preselect_list)) != NULL) {
364 TAILQ_REMOVE(&ap->ap_preselect_list, app, app_list);
365 free(app, M_AUDIT_PIPE_PRESELECT);
366 }
367 }
368
369 static void
370 audit_pipe_preselect_flush(struct audit_pipe *ap)
371 {
372
373 AUDIT_PIPE_LOCK(ap);
374 audit_pipe_preselect_flush_locked(ap);
375 AUDIT_PIPE_UNLOCK(ap);
376 }
377
378 /*-
379 * Determine whether a specific audit pipe matches a record with these
380 * properties. Algorithm is as follows:
381 *
382 * - If the pipe is configured to track the default trail configuration, then
383 * use the results of global preselection matching.
384 * - If not, search for a specifically configured auid entry matching the
385 * event. If an entry is found, use that.
386 * - Otherwise, use the default flags or naflags configured for the pipe.
387 */
388 static int
389 audit_pipe_preselect_check(struct audit_pipe *ap, au_id_t auid,
390 au_event_t event, au_class_t class, int sorf, int trail_preselect)
391 {
392 struct audit_pipe_preselect *app;
393
394 AUDIT_PIPE_LOCK_ASSERT(ap);
395
396 switch (ap->ap_preselect_mode) {
397 case AUDITPIPE_PRESELECT_MODE_TRAIL:
398 return (trail_preselect);
399
400 case AUDITPIPE_PRESELECT_MODE_LOCAL:
401 app = audit_pipe_preselect_find(ap, auid);
402 if (app == NULL) {
403 if (auid == (uid_t)AU_DEFAUDITID)
404 return (au_preselect(event, class,
405 &ap->ap_preselect_naflags, sorf));
406 else
407 return (au_preselect(event, class,
408 &ap->ap_preselect_flags, sorf));
409 } else
410 return (au_preselect(event, class, &app->app_mask,
411 sorf));
412
413 default:
414 panic("audit_pipe_preselect_check: mode %d",
415 ap->ap_preselect_mode);
416 }
417
418 return (0);
419 }
420
421 /*
422 * Determine whether there exists a pipe interested in a record with specific
423 * properties.
424 */
425 int
426 audit_pipe_preselect(au_id_t auid, au_event_t event, au_class_t class,
427 int sorf, int trail_preselect)
428 {
429 struct audit_pipe *ap;
430
431 /* Lockless read to avoid acquiring the global lock if not needed. */
432 if (TAILQ_EMPTY(&audit_pipe_list))
433 return (0);
434
435 AUDIT_PIPE_LIST_RLOCK();
436 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) {
437 AUDIT_PIPE_LOCK(ap);
438 if (audit_pipe_preselect_check(ap, auid, event, class, sorf,
439 trail_preselect)) {
440 AUDIT_PIPE_UNLOCK(ap);
441 AUDIT_PIPE_LIST_RUNLOCK();
442 return (1);
443 }
444 AUDIT_PIPE_UNLOCK(ap);
445 }
446 AUDIT_PIPE_LIST_RUNLOCK();
447 return (0);
448 }
449
450 /*
451 * Append individual record to a queue -- allocate queue-local buffer, and
452 * add to the queue. If the queue is full or we can't allocate memory, drop
453 * the newest record.
454 */
455 static void
456 audit_pipe_append(struct audit_pipe *ap, void *record, u_int record_len)
457 {
458 struct audit_pipe_entry *ape;
459
460 AUDIT_PIPE_LOCK_ASSERT(ap);
461
462 if (ap->ap_qlen >= ap->ap_qlimit) {
463 ap->ap_drops++;
464 audit_pipe_drops++;
465 return;
466 }
467
468 ape = malloc(sizeof(*ape), M_AUDIT_PIPE_ENTRY, M_NOWAIT | M_ZERO);
469 if (ape == NULL) {
470 ap->ap_drops++;
471 audit_pipe_drops++;
472 return;
473 }
474
475 ape->ape_record = malloc(record_len, M_AUDIT_PIPE_ENTRY, M_NOWAIT);
476 if (ape->ape_record == NULL) {
477 free(ape, M_AUDIT_PIPE_ENTRY);
478 ap->ap_drops++;
479 audit_pipe_drops++;
480 return;
481 }
482
483 bcopy(record, ape->ape_record, record_len);
484 ape->ape_record_len = record_len;
485
486 TAILQ_INSERT_TAIL(&ap->ap_queue, ape, ape_queue);
487 ap->ap_inserts++;
488 ap->ap_qlen++;
489 ap->ap_qbyteslen += ape->ape_record_len;
490 selwakeup(&ap->ap_selinfo);
491 if (ap->ap_flags & AUDIT_PIPE_ASYNC)
492 pgsigio(ap->ap_sigio, SIGIO);
493 #if 0 /* XXX - fix select */
494 selwakeuppri(&ap->ap_selinfo, PSOCK);
495 KNOTE_LOCKED(&ap->ap_selinfo.si_note, 0);
496 if (ap->ap_flags & AUDIT_PIPE_ASYNC)
497 pgsigio(&ap->ap_sigio, SIGIO, 0);
498 #endif
499 cv_broadcast(&ap->ap_cv);
500 }
501
502 /*
503 * audit_pipe_submit(): audit_worker submits audit records via this
504 * interface, which arranges for them to be delivered to pipe queues.
505 */
506 void
507 audit_pipe_submit(au_id_t auid, au_event_t event, au_class_t class, int sorf,
508 int trail_select, void *record, u_int record_len)
509 {
510 struct audit_pipe *ap;
511
512 /*
513 * Lockless read to avoid lock overhead if pipes are not in use.
514 */
515 if (TAILQ_FIRST(&audit_pipe_list) == NULL)
516 return;
517
518 AUDIT_PIPE_LIST_RLOCK();
519 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) {
520 AUDIT_PIPE_LOCK(ap);
521 if (audit_pipe_preselect_check(ap, auid, event, class, sorf,
522 trail_select))
523 audit_pipe_append(ap, record, record_len);
524 AUDIT_PIPE_UNLOCK(ap);
525 }
526 AUDIT_PIPE_LIST_RUNLOCK();
527
528 /* Unlocked increment. */
529 audit_pipe_records++;
530 }
531
532 /*
533 * audit_pipe_submit_user(): the same as audit_pipe_submit(), except that
534 * since we don't currently have selection information available, it is
535 * delivered to the pipe unconditionally.
536 *
537 * XXXRW: This is a bug. The BSM check routine for submitting a user record
538 * should parse that information and return it.
539 */
540 void
541 audit_pipe_submit_user(void *record, u_int record_len)
542 {
543 struct audit_pipe *ap;
544
545 /*
546 * Lockless read to avoid lock overhead if pipes are not in use.
547 */
548 if (TAILQ_FIRST(&audit_pipe_list) == NULL)
549 return;
550
551 AUDIT_PIPE_LIST_RLOCK();
552 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) {
553 AUDIT_PIPE_LOCK(ap);
554 audit_pipe_append(ap, record, record_len);
555 AUDIT_PIPE_UNLOCK(ap);
556 }
557 AUDIT_PIPE_LIST_RUNLOCK();
558
559 /* Unlocked increment. */
560 audit_pipe_records++;
561 }
562
563 /*
564 * Allocate a new audit pipe. Connects the pipe, on success, to the global
565 * list and updates statistics.
566 */
567 static struct audit_pipe *
568 audit_pipe_alloc(void)
569 {
570 struct audit_pipe *ap;
571
572 AUDIT_PIPE_LIST_WLOCK_ASSERT();
573
574 ap = malloc(sizeof(*ap), M_AUDIT_PIPE, M_WAITOK | M_ZERO);
575 if (ap == NULL)
576 return (NULL);
577
578 ap->ap_qlimit = AUDIT_PIPE_QLIMIT_DEFAULT;
579 TAILQ_INIT(&ap->ap_queue);
580 #ifndef __APPLE__
581 knlist_init(&ap->ap_selinfo.si_note, AUDIT_PIPE_MTX(ap), NULL, NULL,
582 NULL);
583 #endif
584 AUDIT_PIPE_LOCK_INIT(ap);
585 AUDIT_PIPE_SX_LOCK_INIT(ap);
586 cv_init(&ap->ap_cv, "audit_pipe");
587
588 /*
589 * Default flags, naflags, and auid-specific preselection settings to
590 * 0. Initialize the mode to the global trail so that if praudit(1)
591 * is run on /dev/auditpipe, it sees events associated with the
592 * default trail. Pipe-aware application can clear the flag, set
593 * custom masks, and flush the pipe as needed.
594 */
595 bzero(&ap->ap_preselect_flags, sizeof(ap->ap_preselect_flags));
596 bzero(&ap->ap_preselect_naflags, sizeof(ap->ap_preselect_naflags));
597 TAILQ_INIT(&ap->ap_preselect_list);
598 ap->ap_preselect_mode = AUDITPIPE_PRESELECT_MODE_TRAIL;
599
600 /*
601 * Add to global list and update global statistics.
602 */
603 TAILQ_INSERT_HEAD(&audit_pipe_list, ap, ap_list);
604 audit_pipe_count++;
605 audit_pipe_ever++;
606
607 return (ap);
608 }
609
610 /*
611 * Flush all records currently present in an audit pipe; assume mutex is held.
612 */
613 static void
614 audit_pipe_flush(struct audit_pipe *ap)
615 {
616 struct audit_pipe_entry *ape;
617
618 AUDIT_PIPE_LOCK_ASSERT(ap);
619
620 while ((ape = TAILQ_FIRST(&ap->ap_queue)) != NULL) {
621 TAILQ_REMOVE(&ap->ap_queue, ape, ape_queue);
622 ap->ap_qbyteslen -= ape->ape_record_len;
623 audit_pipe_entry_free(ape);
624 ap->ap_qlen--;
625 }
626 ap->ap_qoffset = 0;
627
628 KASSERT(ap->ap_qlen == 0, ("audit_pipe_free: ap_qbyteslen"));
629 KASSERT(ap->ap_qbyteslen == 0, ("audit_pipe_flush: ap_qbyteslen"));
630 }
631
632 /*
633 * Free an audit pipe; this means freeing all preselection state and all
634 * records in the pipe. Assumes global write lock and pipe mutex are held to
635 * revent any new records from being inserted during the free, and that the
636 * audit pipe is still on the global list.
637 */
638 static void
639 audit_pipe_free(struct audit_pipe *ap)
640 {
641
642 AUDIT_PIPE_LIST_WLOCK_ASSERT();
643 AUDIT_PIPE_LOCK_ASSERT(ap);
644
645 audit_pipe_preselect_flush_locked(ap);
646 audit_pipe_flush(ap);
647 cv_destroy(&ap->ap_cv);
648 AUDIT_PIPE_SX_LOCK_DESTROY(ap);
649 AUDIT_PIPE_UNLOCK(ap);
650 AUDIT_PIPE_LOCK_DESTROY(ap);
651 #ifndef __APPLE__
652 knlist_destroy(&ap->ap_selinfo.si_note);
653 #endif
654 TAILQ_REMOVE(&audit_pipe_list, ap, ap_list);
655 free(ap, M_AUDIT_PIPE);
656 audit_pipe_count--;
657 }
658
659 /*
660 * Audit pipe clone routine -- provides a new minor number, or to return (-1),
661 * if one can't be provided. Called with DEVFS_LOCK held.
662 */
663 static int
664 audit_pipe_clone(__unused dev_t dev, int action)
665 {
666 int i;
667
668 if (action == DEVFS_CLONE_ALLOC) {
669 for(i = 0; i < MAX_AUDIT_PIPES; i++)
670 if (audit_pipe_dtab[i] == NULL)
671 return (i);
672
673 /*
674 * XXX Should really return -1 here but that seems to hang
675 * things in devfs. Instead return 0 and let _open() tell
676 * userland the bad news.
677 */
678 return (0);
679 }
680
681 return (-1);
682 }
683
684 /*
685 * Audit pipe open method. Explicit privilege check isn't used as this
686 * allows file permissions on the special device to be used to grant audit
687 * review access. Those file permissions should be managed carefully.
688 */
689 static int
690 audit_pipe_open(dev_t dev, __unused int flags, __unused int devtype,
691 __unused proc_t p)
692 {
693 struct audit_pipe *ap;
694 int u;
695
696 u = minor(dev);
697 if (u < 0 || u > MAX_AUDIT_PIPES)
698 return (ENXIO);
699
700 AUDIT_PIPE_LIST_WLOCK();
701 ap = audit_pipe_dtab[u];
702 if (ap == NULL) {
703 ap = audit_pipe_alloc();
704 if (ap == NULL) {
705 AUDIT_PIPE_LIST_WUNLOCK();
706 return (ENOMEM);
707 }
708 audit_pipe_dtab[u] = ap;
709 } else {
710 KASSERT(ap->ap_open, ("audit_pipe_open: ap && !ap_open"));
711 AUDIT_PIPE_LIST_WUNLOCK();
712 return (EBUSY);
713 }
714 ap->ap_open = 1;
715 AUDIT_PIPE_LIST_WUNLOCK();
716 #ifndef __APPLE__
717 fsetown(td->td_proc->p_pid, &ap->ap_sigio);
718 #endif
719 return (0);
720 }
721
722 /*
723 * Close audit pipe, tear down all records, etc.
724 */
725 static int
726 audit_pipe_close(dev_t dev, __unused int flags, __unused int devtype,
727 __unused proc_t p)
728 {
729 struct audit_pipe *ap;
730 int u;
731
732 u = minor(dev);
733 ap = audit_pipe_dtab[u];
734 KASSERT(ap != NULL, ("audit_pipe_close: ap == NULL"));
735 KASSERT(ap->ap_open, ("audit_pipe_close: !ap_open"));
736
737 #ifndef __APPLE__
738 funsetown(&ap->ap_sigio);
739 #endif
740 AUDIT_PIPE_LIST_WLOCK();
741 AUDIT_PIPE_LOCK(ap);
742 ap->ap_open = 0;
743 audit_pipe_free(ap);
744 audit_pipe_dtab[u] = NULL;
745 AUDIT_PIPE_LIST_WUNLOCK();
746 return (0);
747 }
748
749 /*
750 * Audit pipe ioctl() routine. Handle file descriptor and audit pipe layer
751 * commands.
752 */
753 static int
754 audit_pipe_ioctl(dev_t dev, u_long cmd, caddr_t data,
755 __unused int flag, __unused proc_t p)
756 {
757 struct auditpipe_ioctl_preselect *aip;
758 struct audit_pipe *ap;
759 au_mask_t *maskp;
760 int error, mode;
761 au_id_t auid;
762
763 ap = audit_pipe_dtab[minor(dev)];
764 KASSERT(ap != NULL, ("audit_pipe_ioctl: ap == NULL"));
765
766 /*
767 * Audit pipe ioctls: first come standard device node ioctls, then
768 * manipulation of pipe settings, and finally, statistics query
769 * ioctls.
770 */
771 switch (cmd) {
772 case FIONBIO:
773 AUDIT_PIPE_LOCK(ap);
774 if (*(int *)data)
775 ap->ap_flags |= AUDIT_PIPE_NBIO;
776 else
777 ap->ap_flags &= ~AUDIT_PIPE_NBIO;
778 AUDIT_PIPE_UNLOCK(ap);
779 error = 0;
780 break;
781
782 case FIONREAD:
783 AUDIT_PIPE_LOCK(ap);
784 *(int *)data = ap->ap_qbyteslen - ap->ap_qoffset;
785 AUDIT_PIPE_UNLOCK(ap);
786 error = 0;
787 break;
788
789 case FIOASYNC:
790 AUDIT_PIPE_LOCK(ap);
791 if (*(int *)data)
792 ap->ap_flags |= AUDIT_PIPE_ASYNC;
793 else
794 ap->ap_flags &= ~AUDIT_PIPE_ASYNC;
795 AUDIT_PIPE_UNLOCK(ap);
796 error = 0;
797 break;
798
799 #ifndef __APPLE__
800 case FIOSETOWN:
801 error = fsetown(*(int *)data, &ap->ap_sigio);
802 break;
803
804 case FIOGETOWN:
805 *(int *)data = fgetown(&ap->ap_sigio);
806 error = 0;
807 break;
808 #endif /* !__APPLE__ */
809
810 case AUDITPIPE_GET_QLEN:
811 *(u_int *)data = ap->ap_qlen;
812 error = 0;
813 break;
814
815 case AUDITPIPE_GET_QLIMIT:
816 *(u_int *)data = ap->ap_qlimit;
817 error = 0;
818 break;
819
820 case AUDITPIPE_SET_QLIMIT:
821 /* Lockless integer write. */
822 if (*(u_int *)data >= AUDIT_PIPE_QLIMIT_MIN ||
823 *(u_int *)data <= AUDIT_PIPE_QLIMIT_MAX) {
824 ap->ap_qlimit = *(u_int *)data;
825 error = 0;
826 } else
827 error = EINVAL;
828 break;
829
830 case AUDITPIPE_GET_QLIMIT_MIN:
831 *(u_int *)data = AUDIT_PIPE_QLIMIT_MIN;
832 error = 0;
833 break;
834
835 case AUDITPIPE_GET_QLIMIT_MAX:
836 *(u_int *)data = AUDIT_PIPE_QLIMIT_MAX;
837 error = 0;
838 break;
839
840 case AUDITPIPE_GET_PRESELECT_FLAGS:
841 AUDIT_PIPE_LOCK(ap);
842 maskp = (au_mask_t *)data;
843 *maskp = ap->ap_preselect_flags;
844 AUDIT_PIPE_UNLOCK(ap);
845 error = 0;
846 break;
847
848 case AUDITPIPE_SET_PRESELECT_FLAGS:
849 AUDIT_PIPE_LOCK(ap);
850 maskp = (au_mask_t *)data;
851 ap->ap_preselect_flags = *maskp;
852 AUDIT_CHECK_IF_KEVENTS_MASK(ap->ap_preselect_flags);
853 AUDIT_PIPE_UNLOCK(ap);
854 error = 0;
855 break;
856
857 case AUDITPIPE_GET_PRESELECT_NAFLAGS:
858 AUDIT_PIPE_LOCK(ap);
859 maskp = (au_mask_t *)data;
860 *maskp = ap->ap_preselect_naflags;
861 AUDIT_PIPE_UNLOCK(ap);
862 error = 0;
863 break;
864
865 case AUDITPIPE_SET_PRESELECT_NAFLAGS:
866 AUDIT_PIPE_LOCK(ap);
867 maskp = (au_mask_t *)data;
868 ap->ap_preselect_naflags = *maskp;
869 AUDIT_CHECK_IF_KEVENTS_MASK(ap->ap_preselect_naflags);
870 AUDIT_PIPE_UNLOCK(ap);
871 error = 0;
872 break;
873
874 case AUDITPIPE_GET_PRESELECT_AUID:
875 aip = (struct auditpipe_ioctl_preselect *)data;
876 error = audit_pipe_preselect_get(ap, aip->aip_auid,
877 &aip->aip_mask);
878 break;
879
880 case AUDITPIPE_SET_PRESELECT_AUID:
881 aip = (struct auditpipe_ioctl_preselect *)data;
882 audit_pipe_preselect_set(ap, aip->aip_auid, aip->aip_mask);
883 error = 0;
884 break;
885
886 case AUDITPIPE_DELETE_PRESELECT_AUID:
887 auid = *(au_id_t *)data;
888 error = audit_pipe_preselect_delete(ap, auid);
889 break;
890
891 case AUDITPIPE_FLUSH_PRESELECT_AUID:
892 audit_pipe_preselect_flush(ap);
893 error = 0;
894 break;
895
896 case AUDITPIPE_GET_PRESELECT_MODE:
897 AUDIT_PIPE_LOCK(ap);
898 *(int *)data = ap->ap_preselect_mode;
899 AUDIT_PIPE_UNLOCK(ap);
900 error = 0;
901 break;
902
903 case AUDITPIPE_SET_PRESELECT_MODE:
904 mode = *(int *)data;
905 switch (mode) {
906 case AUDITPIPE_PRESELECT_MODE_TRAIL:
907 case AUDITPIPE_PRESELECT_MODE_LOCAL:
908 AUDIT_PIPE_LOCK(ap);
909 ap->ap_preselect_mode = mode;
910 AUDIT_PIPE_UNLOCK(ap);
911 error = 0;
912 break;
913
914 default:
915 error = EINVAL;
916 }
917 break;
918
919 case AUDITPIPE_FLUSH:
920 if (AUDIT_PIPE_SX_XLOCK_SIG(ap) != 0)
921 return (EINTR);
922 AUDIT_PIPE_LOCK(ap);
923 audit_pipe_flush(ap);
924 AUDIT_PIPE_UNLOCK(ap);
925 AUDIT_PIPE_SX_XUNLOCK(ap);
926 error = 0;
927 break;
928
929 case AUDITPIPE_GET_MAXAUDITDATA:
930 *(u_int *)data = MAXAUDITDATA;
931 error = 0;
932 break;
933
934 case AUDITPIPE_GET_INSERTS:
935 *(u_int *)data = ap->ap_inserts;
936 error = 0;
937 break;
938
939 case AUDITPIPE_GET_READS:
940 *(u_int *)data = ap->ap_reads;
941 error = 0;
942 break;
943
944 case AUDITPIPE_GET_DROPS:
945 *(u_int *)data = ap->ap_drops;
946 error = 0;
947 break;
948
949 case AUDITPIPE_GET_TRUNCATES:
950 *(u_int *)data = 0;
951 error = 0;
952 break;
953
954 default:
955 error = ENOTTY;
956 }
957 return (error);
958 }
959
960 /*
961 * Audit pipe read. Read one or more partial or complete records to user
962 * memory.
963 */
964 static int
965 audit_pipe_read(dev_t dev, struct uio *uio, __unused int flag)
966 {
967 struct audit_pipe_entry *ape;
968 struct audit_pipe *ap;
969 u_int toread;
970 int error;
971
972 ap = audit_pipe_dtab[minor(dev)];
973 KASSERT(ap != NULL, ("audit_pipe_read: ap == NULL"));
974
975 /*
976 * We hold an sleep lock over read and flush because we rely on the
977 * stability of a record in the queue during uiomove(9).
978 */
979 if (AUDIT_PIPE_SX_XLOCK_SIG(ap) != 0)
980 return (EINTR);
981 AUDIT_PIPE_LOCK(ap);
982 while (TAILQ_EMPTY(&ap->ap_queue)) {
983 if (ap->ap_flags & AUDIT_PIPE_NBIO) {
984 AUDIT_PIPE_UNLOCK(ap);
985 AUDIT_PIPE_SX_XUNLOCK(ap);
986 return (EAGAIN);
987 }
988 error = cv_wait_sig(&ap->ap_cv, AUDIT_PIPE_MTX(ap));
989 if (error) {
990 AUDIT_PIPE_UNLOCK(ap);
991 AUDIT_PIPE_SX_XUNLOCK(ap);
992 return (error);
993 }
994 }
995
996 /*
997 * Copy as many remaining bytes from the current record to userspace
998 * as we can. Keep processing records until we run out of records in
999 * the queue, or until the user buffer runs out of space.
1000 *
1001 * Note: we rely on the sleep lock to maintain ape's stability here.
1002 */
1003 ap->ap_reads++;
1004 while ((ape = TAILQ_FIRST(&ap->ap_queue)) != NULL &&
1005 uio_resid(uio) > 0) {
1006 AUDIT_PIPE_LOCK_ASSERT(ap);
1007
1008 KASSERT(ape->ape_record_len > ap->ap_qoffset,
1009 ("audit_pipe_read: record_len > qoffset (1)"));
1010 toread = MIN((int)(ape->ape_record_len - ap->ap_qoffset),
1011 uio_resid(uio));
1012 AUDIT_PIPE_UNLOCK(ap);
1013 error = uiomove((char *)ape->ape_record + ap->ap_qoffset,
1014 toread, uio);
1015 if (error) {
1016 AUDIT_PIPE_SX_XUNLOCK(ap);
1017 return (error);
1018 }
1019
1020 /*
1021 * If the copy succeeded, update book-keeping, and if no
1022 * bytes remain in the current record, free it.
1023 */
1024 AUDIT_PIPE_LOCK(ap);
1025 KASSERT(TAILQ_FIRST(&ap->ap_queue) == ape,
1026 ("audit_pipe_read: queue out of sync after uiomove"));
1027 ap->ap_qoffset += toread;
1028 KASSERT(ape->ape_record_len >= ap->ap_qoffset,
1029 ("audit_pipe_read: record_len >= qoffset (2)"));
1030 if (ap->ap_qoffset == ape->ape_record_len) {
1031 TAILQ_REMOVE(&ap->ap_queue, ape, ape_queue);
1032 ap->ap_qbyteslen -= ape->ape_record_len;
1033 audit_pipe_entry_free(ape);
1034 ap->ap_qlen--;
1035 ap->ap_qoffset = 0;
1036 }
1037 }
1038 AUDIT_PIPE_UNLOCK(ap);
1039 AUDIT_PIPE_SX_XUNLOCK(ap);
1040 return (0);
1041 }
1042
1043 /*
1044 * Audit pipe poll.
1045 */
1046 static int
1047 audit_pipe_poll(dev_t dev, int events, void *wql, struct proc *p)
1048 {
1049 struct audit_pipe *ap;
1050 int revents;
1051
1052 revents = 0;
1053 ap = audit_pipe_dtab[minor(dev)];
1054 KASSERT(ap != NULL, ("audit_pipe_poll: ap == NULL"));
1055
1056 if (events & (POLLIN | POLLRDNORM)) {
1057 AUDIT_PIPE_LOCK(ap);
1058 if (TAILQ_FIRST(&ap->ap_queue) != NULL)
1059 revents |= events & (POLLIN | POLLRDNORM);
1060 else
1061 selrecord(p, &ap->ap_selinfo, wql);
1062 AUDIT_PIPE_UNLOCK(ap);
1063 }
1064 return (revents);
1065 }
1066
1067 #ifndef __APPLE__
1068 /*
1069 * Return true if there are records available for reading on the pipe.
1070 */
1071 static int
1072 audit_pipe_kqread(struct knote *kn, long hint)
1073 {
1074 struct audit_pipe *ap;
1075
1076 ap = (struct audit_pipe *)kn->kn_hook;
1077 KASSERT(ap != NULL, ("audit_pipe_kqread: ap == NULL"));
1078 AUDIT_PIPE_LOCK_ASSERT(ap);
1079
1080 if (ap->ap_qlen != 0) {
1081 kn->kn_data = ap->ap_qbyteslen - ap->ap_qoffset;
1082 return (1);
1083 } else {
1084 kn->kn_data = 0;
1085 return (0);
1086 }
1087 }
1088
1089 /*
1090 * Detach kqueue state from audit pipe.
1091 */
1092 static void
1093 audit_pipe_kqdetach(struct knote *kn)
1094 {
1095 struct audit_pipe *ap;
1096
1097 ap = (struct audit_pipe *)kn->kn_hook;
1098 KASSERT(ap != NULL, ("audit_pipe_kqdetach: ap == NULL"));
1099
1100 AUDIT_PIPE_LOCK(ap);
1101 knlist_remove(&ap->ap_selinfo.si_note, kn, 1);
1102 AUDIT_PIPE_UNLOCK(ap);
1103 }
1104 #endif /* !__APPLE__ */
1105
1106 static void *devnode;
1107
1108 int
1109 audit_pipe_init(void)
1110 {
1111 dev_t dev;
1112
1113 TAILQ_INIT(&audit_pipe_list);
1114 AUDIT_PIPE_LIST_LOCK_INIT();
1115
1116 audit_pipe_major = cdevsw_add(-1, &audit_pipe_cdevsw);
1117 if (audit_pipe_major < 0)
1118 return (KERN_FAILURE);
1119
1120 dev = makedev(audit_pipe_major, 0);
1121 devnode = devfs_make_node_clone(dev, DEVFS_CHAR, UID_ROOT, GID_WHEEL,
1122 0600, audit_pipe_clone, "auditpipe", 0);
1123
1124 if (devnode == NULL)
1125 return (KERN_FAILURE);
1126
1127 return (KERN_SUCCESS);
1128 }
1129
1130 int
1131 audit_pipe_shutdown(void)
1132 {
1133
1134 /* unwind everything */
1135 devfs_remove(devnode);
1136 (void) cdevsw_remove(audit_pipe_major, &audit_pipe_cdevsw);
1137
1138 return (KERN_SUCCESS);
1139 }
1140
1141 #endif /* CONFIG_AUDIT */
mirror of XNU