]> git.saurik.com Git - apple/xnu.git/blob - bsd/security/audit/audit_pipe.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-1486.2.11.tar.gz
[apple/xnu.git] / bsd / security / audit / audit_pipe.c
1 /*-
2 * Copyright (c) 2006 Robert N. M. Watson
3 * Copyright (c) 2008-2009 Apple, Inc.
4 * All rights reserved.
5 *
6 * This software was developed by Robert Watson for the TrustedBSD Project.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 */
29
30 #include <stdarg.h>
31 #include <sys/param.h>
32 #include <sys/systm.h>
33 #include <sys/kernel.h>
34 #include <sys/fcntl.h>
35 #include <sys/conf.h>
36 #include <sys/poll.h>
37 #include <sys/user.h>
38 #include <sys/signalvar.h>
39 #include <miscfs/devfs/devfs.h>
40
41 #include <bsm/audit.h>
42 #include <security/audit/audit.h>
43 #include <security/audit/audit_ioctl.h>
44 #include <security/audit/audit_bsd.h>
45 #include <security/audit/audit_private.h>
46
47 #if CONFIG_AUDIT
48 /*
49 * Implementation of a clonable special device providing a live stream of BSM
50 * audit data. Consumers receive a "tee" of the system audit trail by
51 * default, but may also define alternative event selections using ioctls.
52 * This interface provides unreliable but timely access to audit events.
53 * Consumers should be very careful to avoid introducing event cycles.
54 */
55
56 /*
57 * Memory types.
58 */
59 static MALLOC_DEFINE(M_AUDIT_PIPE, "audit_pipe", "Audit pipes");
60 static MALLOC_DEFINE(M_AUDIT_PIPE_ENTRY, "audit_pipeent",
61 "Audit pipe entries and buffers");
62 static MALLOC_DEFINE(M_AUDIT_PIPE_PRESELECT, "audit_pipe_presel",
63 "Audit pipe preselection structure");
64
65 /*
66 * Audit pipe buffer parameters.
67 */
68 #define AUDIT_PIPE_QLIMIT_DEFAULT (128)
69 #define AUDIT_PIPE_QLIMIT_MIN (1)
70 #define AUDIT_PIPE_QLIMIT_MAX (1024)
71
72 /*
73 * Description of an entry in an audit_pipe.
74 */
75 struct audit_pipe_entry {
76 void *ape_record;
77 u_int ape_record_len;
78 TAILQ_ENTRY(audit_pipe_entry) ape_queue;
79 };
80
81 /*
82 * Audit pipes allow processes to express "interest" in the set of records
83 * that are delivered via the pipe. They do this in a similar manner to the
84 * mechanism for audit trail configuration, by expressing two global masks,
85 * and optionally expressing per-auid masks. The following data structure is
86 * the per-auid mask description. The global state is stored in the audit
87 * pipe data structure.
88 *
89 * We may want to consider a more space/time-efficient data structure once
90 * usage patterns for per-auid specifications are clear.
91 */
92 struct audit_pipe_preselect {
93 au_id_t app_auid;
94 au_mask_t app_mask;
95 TAILQ_ENTRY(audit_pipe_preselect) app_list;
96 };
97
98 /*
99 * Description of an individual audit_pipe. Consists largely of a bounded
100 * length queue.
101 */
102 #define AUDIT_PIPE_ASYNC 0x00000001
103 #define AUDIT_PIPE_NBIO 0x00000002
104 struct audit_pipe {
105 int ap_open; /* Device open? */
106 u_int ap_flags;
107
108 struct selinfo ap_selinfo;
109 pid_t ap_sigio;
110
111 /*
112 * Per-pipe mutex protecting most fields in this data structure.
113 */
114 struct mtx ap_mtx;
115
116 /*
117 * Per-pipe sleep lock serializing user-generated reads and flushes.
118 * uiomove() is called to copy out the current head record's data
119 * while the record remains in the queue, so we prevent other threads
120 * from removing it using this lock.
121 */
122 struct slck ap_sx;
123
124 /*
125 * Condition variable to signal when data has been delivered to a
126 * pipe.
127 */
128 struct cv ap_cv;
129
130 /*
131 * Various queue-related variables: qlen and qlimit are a count of
132 * records in the queue; qbyteslen is the number of bytes of data
133 * across all records, and qoffset is the amount read so far of the
134 * first record in the queue. The number of bytes available for
135 * reading in the queue is qbyteslen - qoffset.
136 */
137 u_int ap_qlen;
138 u_int ap_qlimit;
139 u_int ap_qbyteslen;
140 u_int ap_qoffset;
141
142 /*
143 * Per-pipe operation statistics.
144 */
145 u_int64_t ap_inserts; /* Records added. */
146 u_int64_t ap_reads; /* Records read. */
147 u_int64_t ap_drops; /* Records dropped. */
148
149 /*
150 * Fields relating to pipe interest: global masks for unmatched
151 * processes (attributable, non-attributable), and a list of specific
152 * interest specifications by auid.
153 */
154 int ap_preselect_mode;
155 au_mask_t ap_preselect_flags;
156 au_mask_t ap_preselect_naflags;
157 TAILQ_HEAD(, audit_pipe_preselect) ap_preselect_list;
158
159 /*
160 * Current pending record list. Protected by a combination of ap_mtx
161 * and ap_sx. Note particularly that *both* locks are required to
162 * remove a record from the head of the queue, as an in-progress read
163 * may sleep while copying and therefore cannot hold ap_mtx.
164 */
165 TAILQ_HEAD(, audit_pipe_entry) ap_queue;
166
167 /*
168 * Global pipe list.
169 */
170 TAILQ_ENTRY(audit_pipe) ap_list;
171 };
172
173 #define AUDIT_PIPE_LOCK(ap) mtx_lock(&(ap)->ap_mtx)
174 #define AUDIT_PIPE_LOCK_ASSERT(ap) mtx_assert(&(ap)->ap_mtx, MA_OWNED)
175 #define AUDIT_PIPE_LOCK_DESTROY(ap) mtx_destroy(&(ap)->ap_mtx)
176 #define AUDIT_PIPE_LOCK_INIT(ap) mtx_init(&(ap)->ap_mtx, \
177 "audit_pipe_mtx", NULL, MTX_DEF)
178 #define AUDIT_PIPE_UNLOCK(ap) mtx_unlock(&(ap)->ap_mtx)
179 #define AUDIT_PIPE_MTX(ap) (&(ap)->ap_mtx)
180
181 #define AUDIT_PIPE_SX_LOCK_DESTROY(ap) slck_destroy(&(ap)->ap_sx)
182 #define AUDIT_PIPE_SX_LOCK_INIT(ap) slck_init(&(ap)->ap_sx, "audit_pipe_sx")
183 #define AUDIT_PIPE_SX_XLOCK_ASSERT(ap) slck_assert(&(ap)->ap_sx, SA_XLOCKED)
184 #define AUDIT_PIPE_SX_XLOCK_SIG(ap) slck_lock_sig(&(ap)->ap_sx)
185 #define AUDIT_PIPE_SX_XUNLOCK(ap) slck_unlock(&(ap)->ap_sx)
186
187
188 /*
189 * Global list of audit pipes, rwlock to protect it. Individual record
190 * queues on pipes are protected by per-pipe locks; these locks synchronize
191 * between threads walking the list to deliver to individual pipes and add/
192 * remove of pipes, and are mostly acquired for read.
193 */
194 static TAILQ_HEAD(, audit_pipe) audit_pipe_list;
195 static struct rwlock audit_pipe_lock;
196
197 #define AUDIT_PIPE_LIST_LOCK_INIT() rw_init(&audit_pipe_lock, \
198 "audit_pipe_list_lock")
199 #define AUDIT_PIPE_LIST_RLOCK() rw_rlock(&audit_pipe_lock)
200 #define AUDIT_PIPE_LIST_RUNLOCK() rw_runlock(&audit_pipe_lock)
201 #define AUDIT_PIPE_LIST_WLOCK() rw_wlock(&audit_pipe_lock)
202 #define AUDIT_PIPE_LIST_WLOCK_ASSERT() rw_assert(&audit_pipe_lock, \
203 RA_WLOCKED)
204 #define AUDIT_PIPE_LIST_WUNLOCK() rw_wunlock(&audit_pipe_lock)
205
206 /*
207 * Cloning related variables and constants.
208 */
209 #define AUDIT_PIPE_NAME "auditpipe"
210 #define MAX_AUDIT_PIPES 32
211 static int audit_pipe_major;
212
213 /*
214 * dev_t doesn't have a pointer for "softc" data. So we have to keep track of
215 * it with the following global array (indexed by the minor number).
216 *
217 * XXX We may want to dynamically grow this as needed.
218 */
219 static struct audit_pipe *audit_pipe_dtab[MAX_AUDIT_PIPES];
220
221
222 /*
223 * Special device methods and definition.
224 */
225 static open_close_fcn_t audit_pipe_open;
226 static open_close_fcn_t audit_pipe_close;
227 static read_write_fcn_t audit_pipe_read;
228 static ioctl_fcn_t audit_pipe_ioctl;
229 static select_fcn_t audit_pipe_poll;
230
231 static struct cdevsw audit_pipe_cdevsw = {
232 .d_open = audit_pipe_open,
233 .d_close = audit_pipe_close,
234 .d_read = audit_pipe_read,
235 .d_write = eno_rdwrt,
236 .d_ioctl = audit_pipe_ioctl,
237 .d_stop = eno_stop,
238 .d_reset = eno_reset,
239 .d_ttys = NULL,
240 .d_select = audit_pipe_poll,
241 .d_mmap = eno_mmap,
242 .d_strategy = eno_strat,
243 .d_type = 0
244 };
245
246 /*
247 * Some global statistics on audit pipes.
248 */
249 static int audit_pipe_count; /* Current number of pipes. */
250 static u_int64_t audit_pipe_ever; /* Pipes ever allocated. */
251 static u_int64_t audit_pipe_records; /* Records seen. */
252 static u_int64_t audit_pipe_drops; /* Global record drop count. */
253
254 /*
255 * Free an audit pipe entry.
256 */
257 static void
258 audit_pipe_entry_free(struct audit_pipe_entry *ape)
259 {
260
261 free(ape->ape_record, M_AUDIT_PIPE_ENTRY);
262 free(ape, M_AUDIT_PIPE_ENTRY);
263 }
264
265 /*
266 * Find an audit pipe preselection specification for an auid, if any.
267 */
268 static struct audit_pipe_preselect *
269 audit_pipe_preselect_find(struct audit_pipe *ap, au_id_t auid)
270 {
271 struct audit_pipe_preselect *app;
272
273 AUDIT_PIPE_LOCK_ASSERT(ap);
274
275 TAILQ_FOREACH(app, &ap->ap_preselect_list, app_list) {
276 if (app->app_auid == auid)
277 return (app);
278 }
279 return (NULL);
280 }
281
282 /*
283 * Query the per-pipe mask for a specific auid.
284 */
285 static int
286 audit_pipe_preselect_get(struct audit_pipe *ap, au_id_t auid,
287 au_mask_t *maskp)
288 {
289 struct audit_pipe_preselect *app;
290 int error;
291
292 AUDIT_PIPE_LOCK(ap);
293 app = audit_pipe_preselect_find(ap, auid);
294 if (app != NULL) {
295 *maskp = app->app_mask;
296 error = 0;
297 } else
298 error = ENOENT;
299 AUDIT_PIPE_UNLOCK(ap);
300 return (error);
301 }
302
303 /*
304 * Set the per-pipe mask for a specific auid. Add a new entry if needed;
305 * otherwise, update the current entry.
306 */
307 static void
308 audit_pipe_preselect_set(struct audit_pipe *ap, au_id_t auid, au_mask_t mask)
309 {
310 struct audit_pipe_preselect *app, *app_new;
311
312 /*
313 * Pessimistically assume that the auid doesn't already have a mask
314 * set, and allocate. We will free it if it is unneeded.
315 */
316 app_new = malloc(sizeof(*app_new), M_AUDIT_PIPE_PRESELECT, M_WAITOK);
317 AUDIT_PIPE_LOCK(ap);
318 app = audit_pipe_preselect_find(ap, auid);
319 if (app == NULL) {
320 app = app_new;
321 app_new = NULL;
322 app->app_auid = auid;
323 TAILQ_INSERT_TAIL(&ap->ap_preselect_list, app, app_list);
324 }
325 app->app_mask = mask;
326 AUDIT_PIPE_UNLOCK(ap);
327 if (app_new != NULL)
328 free(app_new, M_AUDIT_PIPE_PRESELECT);
329 }
330
331 /*
332 * Delete a per-auid mask on an audit pipe.
333 */
334 static int
335 audit_pipe_preselect_delete(struct audit_pipe *ap, au_id_t auid)
336 {
337 struct audit_pipe_preselect *app;
338 int error;
339
340 AUDIT_PIPE_LOCK(ap);
341 app = audit_pipe_preselect_find(ap, auid);
342 if (app != NULL) {
343 TAILQ_REMOVE(&ap->ap_preselect_list, app, app_list);
344 error = 0;
345 } else
346 error = ENOENT;
347 AUDIT_PIPE_UNLOCK(ap);
348 if (app != NULL)
349 free(app, M_AUDIT_PIPE_PRESELECT);
350 return (error);
351 }
352
353 /*
354 * Delete all per-auid masks on an audit pipe.
355 */
356 static void
357 audit_pipe_preselect_flush_locked(struct audit_pipe *ap)
358 {
359 struct audit_pipe_preselect *app;
360
361 AUDIT_PIPE_LOCK_ASSERT(ap);
362
363 while ((app = TAILQ_FIRST(&ap->ap_preselect_list)) != NULL) {
364 TAILQ_REMOVE(&ap->ap_preselect_list, app, app_list);
365 free(app, M_AUDIT_PIPE_PRESELECT);
366 }
367 }
368
369 static void
370 audit_pipe_preselect_flush(struct audit_pipe *ap)
371 {
372
373 AUDIT_PIPE_LOCK(ap);
374 audit_pipe_preselect_flush_locked(ap);
375 AUDIT_PIPE_UNLOCK(ap);
376 }
377
378 /*-
379 * Determine whether a specific audit pipe matches a record with these
380 * properties. Algorithm is as follows:
381 *
382 * - If the pipe is configured to track the default trail configuration, then
383 * use the results of global preselection matching.
384 * - If not, search for a specifically configured auid entry matching the
385 * event. If an entry is found, use that.
386 * - Otherwise, use the default flags or naflags configured for the pipe.
387 */
388 static int
389 audit_pipe_preselect_check(struct audit_pipe *ap, au_id_t auid,
390 au_event_t event, au_class_t class, int sorf, int trail_preselect)
391 {
392 struct audit_pipe_preselect *app;
393
394 AUDIT_PIPE_LOCK_ASSERT(ap);
395
396 switch (ap->ap_preselect_mode) {
397 case AUDITPIPE_PRESELECT_MODE_TRAIL:
398 return (trail_preselect);
399
400 case AUDITPIPE_PRESELECT_MODE_LOCAL:
401 app = audit_pipe_preselect_find(ap, auid);
402 if (app == NULL) {
403 if (auid == (uid_t)AU_DEFAUDITID)
404 return (au_preselect(event, class,
405 &ap->ap_preselect_naflags, sorf));
406 else
407 return (au_preselect(event, class,
408 &ap->ap_preselect_flags, sorf));
409 } else
410 return (au_preselect(event, class, &app->app_mask,
411 sorf));
412
413 default:
414 panic("audit_pipe_preselect_check: mode %d",
415 ap->ap_preselect_mode);
416 }
417
418 return (0);
419 }
420
421 /*
422 * Determine whether there exists a pipe interested in a record with specific
423 * properties.
424 */
425 int
426 audit_pipe_preselect(au_id_t auid, au_event_t event, au_class_t class,
427 int sorf, int trail_preselect)
428 {
429 struct audit_pipe *ap;
430
431 /* Lockless read to avoid acquiring the global lock if not needed. */
432 if (TAILQ_EMPTY(&audit_pipe_list))
433 return (0);
434
435 AUDIT_PIPE_LIST_RLOCK();
436 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) {
437 AUDIT_PIPE_LOCK(ap);
438 if (audit_pipe_preselect_check(ap, auid, event, class, sorf,
439 trail_preselect)) {
440 AUDIT_PIPE_UNLOCK(ap);
441 AUDIT_PIPE_LIST_RUNLOCK();
442 return (1);
443 }
444 AUDIT_PIPE_UNLOCK(ap);
445 }
446 AUDIT_PIPE_LIST_RUNLOCK();
447 return (0);
448 }
449
450 /*
451 * Append individual record to a queue -- allocate queue-local buffer, and
452 * add to the queue. If the queue is full or we can't allocate memory, drop
453 * the newest record.
454 */
455 static void
456 audit_pipe_append(struct audit_pipe *ap, void *record, u_int record_len)
457 {
458 struct audit_pipe_entry *ape;
459
460 AUDIT_PIPE_LOCK_ASSERT(ap);
461
462 if (ap->ap_qlen >= ap->ap_qlimit) {
463 ap->ap_drops++;
464 audit_pipe_drops++;
465 return;
466 }
467
468 ape = malloc(sizeof(*ape), M_AUDIT_PIPE_ENTRY, M_NOWAIT | M_ZERO);
469 if (ape == NULL) {
470 ap->ap_drops++;
471 audit_pipe_drops++;
472 return;
473 }
474
475 ape->ape_record = malloc(record_len, M_AUDIT_PIPE_ENTRY, M_NOWAIT);
476 if (ape->ape_record == NULL) {
477 free(ape, M_AUDIT_PIPE_ENTRY);
478 ap->ap_drops++;
479 audit_pipe_drops++;
480 return;
481 }
482
483 bcopy(record, ape->ape_record, record_len);
484 ape->ape_record_len = record_len;
485
486 TAILQ_INSERT_TAIL(&ap->ap_queue, ape, ape_queue);
487 ap->ap_inserts++;
488 ap->ap_qlen++;
489 ap->ap_qbyteslen += ape->ape_record_len;
490 selwakeup(&ap->ap_selinfo);
491 if (ap->ap_flags & AUDIT_PIPE_ASYNC)
492 pgsigio(ap->ap_sigio, SIGIO);
493 #if 0 /* XXX - fix select */
494 selwakeuppri(&ap->ap_selinfo, PSOCK);
495 KNOTE_LOCKED(&ap->ap_selinfo.si_note, 0);
496 if (ap->ap_flags & AUDIT_PIPE_ASYNC)
497 pgsigio(&ap->ap_sigio, SIGIO, 0);
498 #endif
499 cv_broadcast(&ap->ap_cv);
500 }
501
502 /*
503 * audit_pipe_submit(): audit_worker submits audit records via this
504 * interface, which arranges for them to be delivered to pipe queues.
505 */
506 void
507 audit_pipe_submit(au_id_t auid, au_event_t event, au_class_t class, int sorf,
508 int trail_select, void *record, u_int record_len)
509 {
510 struct audit_pipe *ap;
511
512 /*
513 * Lockless read to avoid lock overhead if pipes are not in use.
514 */
515 if (TAILQ_FIRST(&audit_pipe_list) == NULL)
516 return;
517
518 AUDIT_PIPE_LIST_RLOCK();
519 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) {
520 AUDIT_PIPE_LOCK(ap);
521 if (audit_pipe_preselect_check(ap, auid, event, class, sorf,
522 trail_select))
523 audit_pipe_append(ap, record, record_len);
524 AUDIT_PIPE_UNLOCK(ap);
525 }
526 AUDIT_PIPE_LIST_RUNLOCK();
527
528 /* Unlocked increment. */
529 audit_pipe_records++;
530 }
531
532 /*
533 * audit_pipe_submit_user(): the same as audit_pipe_submit(), except that
534 * since we don't currently have selection information available, it is
535 * delivered to the pipe unconditionally.
536 *
537 * XXXRW: This is a bug. The BSM check routine for submitting a user record
538 * should parse that information and return it.
539 */
540 void
541 audit_pipe_submit_user(void *record, u_int record_len)
542 {
543 struct audit_pipe *ap;
544
545 /*
546 * Lockless read to avoid lock overhead if pipes are not in use.
547 */
548 if (TAILQ_FIRST(&audit_pipe_list) == NULL)
549 return;
550
551 AUDIT_PIPE_LIST_RLOCK();
552 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) {
553 AUDIT_PIPE_LOCK(ap);
554 audit_pipe_append(ap, record, record_len);
555 AUDIT_PIPE_UNLOCK(ap);
556 }
557 AUDIT_PIPE_LIST_RUNLOCK();
558
559 /* Unlocked increment. */
560 audit_pipe_records++;
561 }
562
563 /*
564 * Allocate a new audit pipe. Connects the pipe, on success, to the global
565 * list and updates statistics.
566 */
567 static struct audit_pipe *
568 audit_pipe_alloc(void)
569 {
570 struct audit_pipe *ap;
571
572 AUDIT_PIPE_LIST_WLOCK_ASSERT();
573
574 ap = malloc(sizeof(*ap), M_AUDIT_PIPE, M_NOWAIT | M_ZERO);
575 if (ap == NULL)
576 return (NULL);
577
578 ap->ap_qlimit = AUDIT_PIPE_QLIMIT_DEFAULT;
579 TAILQ_INIT(&ap->ap_queue);
580 #ifndef __APPLE__
581 knlist_init(&ap->ap_selinfo.si_note, AUDIT_PIPE_MTX(ap), NULL, NULL,
582 NULL);
583 #endif
584 AUDIT_PIPE_LOCK_INIT(ap);
585 AUDIT_PIPE_SX_LOCK_INIT(ap);
586 cv_init(&ap->ap_cv, "audit_pipe");
587
588 /*
589 * Default flags, naflags, and auid-specific preselection settings to
590 * 0. Initialize the mode to the global trail so that if praudit(1)
591 * is run on /dev/auditpipe, it sees events associated with the
592 * default trail. Pipe-aware application can clear the flag, set
593 * custom masks, and flush the pipe as needed.
594 */
595 bzero(&ap->ap_preselect_flags, sizeof(ap->ap_preselect_flags));
596 bzero(&ap->ap_preselect_naflags, sizeof(ap->ap_preselect_naflags));
597 TAILQ_INIT(&ap->ap_preselect_list);
598 ap->ap_preselect_mode = AUDITPIPE_PRESELECT_MODE_TRAIL;
599
600 /*
601 * Add to global list and update global statistics.
602 */
603 TAILQ_INSERT_HEAD(&audit_pipe_list, ap, ap_list);
604 audit_pipe_count++;
605 audit_pipe_ever++;
606
607 return (ap);
608 }
609
610 /*
611 * Flush all records currently present in an audit pipe; assume mutex is held.
612 */
613 static void
614 audit_pipe_flush(struct audit_pipe *ap)
615 {
616 struct audit_pipe_entry *ape;
617
618 AUDIT_PIPE_LOCK_ASSERT(ap);
619
620 while ((ape = TAILQ_FIRST(&ap->ap_queue)) != NULL) {
621 TAILQ_REMOVE(&ap->ap_queue, ape, ape_queue);
622 ap->ap_qbyteslen -= ape->ape_record_len;
623 audit_pipe_entry_free(ape);
624 ap->ap_qlen--;
625 }
626 ap->ap_qoffset = 0;
627
628 KASSERT(ap->ap_qlen == 0, ("audit_pipe_free: ap_qbyteslen"));
629 KASSERT(ap->ap_qbyteslen == 0, ("audit_pipe_flush: ap_qbyteslen"));
630 }
631
632 /*
633 * Free an audit pipe; this means freeing all preselection state and all
634 * records in the pipe. Assumes global write lock and pipe mutex are held to
635 * revent any new records from being inserted during the free, and that the
636 * audit pipe is still on the global list.
637 */
638 static void
639 audit_pipe_free(struct audit_pipe *ap)
640 {
641
642 AUDIT_PIPE_LIST_WLOCK_ASSERT();
643 AUDIT_PIPE_LOCK_ASSERT(ap);
644
645 audit_pipe_preselect_flush_locked(ap);
646 audit_pipe_flush(ap);
647 cv_destroy(&ap->ap_cv);
648 AUDIT_PIPE_SX_LOCK_DESTROY(ap);
649 AUDIT_PIPE_LOCK_DESTROY(ap);
650 #ifndef __APPLE__
651 knlist_destroy(&ap->ap_selinfo.si_note);
652 #endif
653 TAILQ_REMOVE(&audit_pipe_list, ap, ap_list);
654 free(ap, M_AUDIT_PIPE);
655 audit_pipe_count--;
656 }
657
658 /*
659 * Audit pipe clone routine -- provides a new minor number, or to return (-1),
660 * if one can't be provided. Called with DEVFS_LOCK held.
661 */
662 static int
663 audit_pipe_clone(__unused dev_t dev, int action)
664 {
665 int i;
666
667 if (action == DEVFS_CLONE_ALLOC) {
668 for(i = 0; i < MAX_AUDIT_PIPES; i++)
669 if (audit_pipe_dtab[i] == NULL)
670 return (i);
671
672 /*
673 * XXX Should really return -1 here but that seems to hang
674 * things in devfs. Instead return 0 and let _open() tell
675 * userland the bad news.
676 */
677 return (0);
678 }
679
680 return (-1);
681 }
682
683 /*
684 * Audit pipe open method. Explicit privilege check isn't used as this
685 * allows file permissions on the special device to be used to grant audit
686 * review access. Those file permissions should be managed carefully.
687 */
688 static int
689 audit_pipe_open(dev_t dev, __unused int flags, __unused int devtype,
690 __unused proc_t p)
691 {
692 struct audit_pipe *ap;
693 int u;
694
695 u = minor(dev);
696 if (u < 0 || u > MAX_AUDIT_PIPES)
697 return (ENXIO);
698
699 AUDIT_PIPE_LIST_WLOCK();
700 ap = audit_pipe_dtab[u];
701 if (ap == NULL) {
702 ap = audit_pipe_alloc();
703 if (ap == NULL) {
704 AUDIT_PIPE_LIST_WUNLOCK();
705 return (ENOMEM);
706 }
707 audit_pipe_dtab[u] = ap;
708 } else {
709 KASSERT(ap->ap_open, ("audit_pipe_open: ap && !ap_open"));
710 AUDIT_PIPE_LIST_WUNLOCK();
711 return (EBUSY);
712 }
713 ap->ap_open = 1;
714 AUDIT_PIPE_LIST_WUNLOCK();
715 #ifndef __APPLE__
716 fsetown(td->td_proc->p_pid, &ap->ap_sigio);
717 #endif
718 return (0);
719 }
720
721 /*
722 * Close audit pipe, tear down all records, etc.
723 */
724 static int
725 audit_pipe_close(dev_t dev, __unused int flags, __unused int devtype,
726 __unused proc_t p)
727 {
728 struct audit_pipe *ap;
729 int u;
730
731 u = minor(dev);
732 ap = audit_pipe_dtab[u];
733 KASSERT(ap != NULL, ("audit_pipe_close: ap == NULL"));
734 KASSERT(ap->ap_open, ("audit_pipe_close: !ap_open"));
735
736 #ifndef __APPLE__
737 funsetown(&ap->ap_sigio);
738 #endif
739 AUDIT_PIPE_LIST_WLOCK();
740 AUDIT_PIPE_LOCK(ap);
741 ap->ap_open = 0;
742 audit_pipe_free(ap);
743 audit_pipe_dtab[u] = NULL;
744 AUDIT_PIPE_LIST_WUNLOCK();
745 return (0);
746 }
747
748 /*
749 * Audit pipe ioctl() routine. Handle file descriptor and audit pipe layer
750 * commands.
751 */
752 static int
753 audit_pipe_ioctl(dev_t dev, u_long cmd, caddr_t data,
754 __unused int flag, __unused proc_t p)
755 {
756 struct auditpipe_ioctl_preselect *aip;
757 struct audit_pipe *ap;
758 au_mask_t *maskp;
759 int error, mode;
760 au_id_t auid;
761
762 ap = audit_pipe_dtab[minor(dev)];
763 KASSERT(ap != NULL, ("audit_pipe_ioctl: ap == NULL"));
764
765 /*
766 * Audit pipe ioctls: first come standard device node ioctls, then
767 * manipulation of pipe settings, and finally, statistics query
768 * ioctls.
769 */
770 switch (cmd) {
771 case FIONBIO:
772 AUDIT_PIPE_LOCK(ap);
773 if (*(int *)data)
774 ap->ap_flags |= AUDIT_PIPE_NBIO;
775 else
776 ap->ap_flags &= ~AUDIT_PIPE_NBIO;
777 AUDIT_PIPE_UNLOCK(ap);
778 error = 0;
779 break;
780
781 case FIONREAD:
782 AUDIT_PIPE_LOCK(ap);
783 *(int *)data = ap->ap_qbyteslen - ap->ap_qoffset;
784 AUDIT_PIPE_UNLOCK(ap);
785 error = 0;
786 break;
787
788 case FIOASYNC:
789 AUDIT_PIPE_LOCK(ap);
790 if (*(int *)data)
791 ap->ap_flags |= AUDIT_PIPE_ASYNC;
792 else
793 ap->ap_flags &= ~AUDIT_PIPE_ASYNC;
794 AUDIT_PIPE_UNLOCK(ap);
795 error = 0;
796 break;
797
798 #ifndef __APPLE__
799 case FIOSETOWN:
800 error = fsetown(*(int *)data, &ap->ap_sigio);
801 break;
802
803 case FIOGETOWN:
804 *(int *)data = fgetown(&ap->ap_sigio);
805 error = 0;
806 break;
807 #endif /* !__APPLE__ */
808
809 case AUDITPIPE_GET_QLEN:
810 *(u_int *)data = ap->ap_qlen;
811 error = 0;
812 break;
813
814 case AUDITPIPE_GET_QLIMIT:
815 *(u_int *)data = ap->ap_qlimit;
816 error = 0;
817 break;
818
819 case AUDITPIPE_SET_QLIMIT:
820 /* Lockless integer write. */
821 if (*(u_int *)data >= AUDIT_PIPE_QLIMIT_MIN ||
822 *(u_int *)data <= AUDIT_PIPE_QLIMIT_MAX) {
823 ap->ap_qlimit = *(u_int *)data;
824 error = 0;
825 } else
826 error = EINVAL;
827 break;
828
829 case AUDITPIPE_GET_QLIMIT_MIN:
830 *(u_int *)data = AUDIT_PIPE_QLIMIT_MIN;
831 error = 0;
832 break;
833
834 case AUDITPIPE_GET_QLIMIT_MAX:
835 *(u_int *)data = AUDIT_PIPE_QLIMIT_MAX;
836 error = 0;
837 break;
838
839 case AUDITPIPE_GET_PRESELECT_FLAGS:
840 AUDIT_PIPE_LOCK(ap);
841 maskp = (au_mask_t *)data;
842 *maskp = ap->ap_preselect_flags;
843 AUDIT_PIPE_UNLOCK(ap);
844 error = 0;
845 break;
846
847 case AUDITPIPE_SET_PRESELECT_FLAGS:
848 AUDIT_PIPE_LOCK(ap);
849 maskp = (au_mask_t *)data;
850 ap->ap_preselect_flags = *maskp;
851 AUDIT_CHECK_IF_KEVENTS_MASK(ap->ap_preselect_flags);
852 AUDIT_PIPE_UNLOCK(ap);
853 error = 0;
854 break;
855
856 case AUDITPIPE_GET_PRESELECT_NAFLAGS:
857 AUDIT_PIPE_LOCK(ap);
858 maskp = (au_mask_t *)data;
859 *maskp = ap->ap_preselect_naflags;
860 AUDIT_PIPE_UNLOCK(ap);
861 error = 0;
862 break;
863
864 case AUDITPIPE_SET_PRESELECT_NAFLAGS:
865 AUDIT_PIPE_LOCK(ap);
866 maskp = (au_mask_t *)data;
867 ap->ap_preselect_naflags = *maskp;
868 AUDIT_CHECK_IF_KEVENTS_MASK(ap->ap_preselect_naflags);
869 AUDIT_PIPE_UNLOCK(ap);
870 error = 0;
871 break;
872
873 case AUDITPIPE_GET_PRESELECT_AUID:
874 aip = (struct auditpipe_ioctl_preselect *)data;
875 error = audit_pipe_preselect_get(ap, aip->aip_auid,
876 &aip->aip_mask);
877 break;
878
879 case AUDITPIPE_SET_PRESELECT_AUID:
880 aip = (struct auditpipe_ioctl_preselect *)data;
881 audit_pipe_preselect_set(ap, aip->aip_auid, aip->aip_mask);
882 error = 0;
883 break;
884
885 case AUDITPIPE_DELETE_PRESELECT_AUID:
886 auid = *(au_id_t *)data;
887 error = audit_pipe_preselect_delete(ap, auid);
888 break;
889
890 case AUDITPIPE_FLUSH_PRESELECT_AUID:
891 audit_pipe_preselect_flush(ap);
892 error = 0;
893 break;
894
895 case AUDITPIPE_GET_PRESELECT_MODE:
896 AUDIT_PIPE_LOCK(ap);
897 *(int *)data = ap->ap_preselect_mode;
898 AUDIT_PIPE_UNLOCK(ap);
899 error = 0;
900 break;
901
902 case AUDITPIPE_SET_PRESELECT_MODE:
903 mode = *(int *)data;
904 switch (mode) {
905 case AUDITPIPE_PRESELECT_MODE_TRAIL:
906 case AUDITPIPE_PRESELECT_MODE_LOCAL:
907 AUDIT_PIPE_LOCK(ap);
908 ap->ap_preselect_mode = mode;
909 AUDIT_PIPE_UNLOCK(ap);
910 error = 0;
911 break;
912
913 default:
914 error = EINVAL;
915 }
916 break;
917
918 case AUDITPIPE_FLUSH:
919 if (AUDIT_PIPE_SX_XLOCK_SIG(ap) != 0)
920 return (EINTR);
921 AUDIT_PIPE_LOCK(ap);
922 audit_pipe_flush(ap);
923 AUDIT_PIPE_UNLOCK(ap);
924 AUDIT_PIPE_SX_XUNLOCK(ap);
925 error = 0;
926 break;
927
928 case AUDITPIPE_GET_MAXAUDITDATA:
929 *(u_int *)data = MAXAUDITDATA;
930 error = 0;
931 break;
932
933 case AUDITPIPE_GET_INSERTS:
934 *(u_int *)data = ap->ap_inserts;
935 error = 0;
936 break;
937
938 case AUDITPIPE_GET_READS:
939 *(u_int *)data = ap->ap_reads;
940 error = 0;
941 break;
942
943 case AUDITPIPE_GET_DROPS:
944 *(u_int *)data = ap->ap_drops;
945 error = 0;
946 break;
947
948 case AUDITPIPE_GET_TRUNCATES:
949 *(u_int *)data = 0;
950 error = 0;
951 break;
952
953 default:
954 error = ENOTTY;
955 }
956 return (error);
957 }
958
959 /*
960 * Audit pipe read. Read one or more partial or complete records to user
961 * memory.
962 */
963 static int
964 audit_pipe_read(dev_t dev, struct uio *uio, __unused int flag)
965 {
966 struct audit_pipe_entry *ape;
967 struct audit_pipe *ap;
968 u_int toread;
969 int error;
970
971 ap = audit_pipe_dtab[minor(dev)];
972 KASSERT(ap != NULL, ("audit_pipe_read: ap == NULL"));
973
974 /*
975 * We hold an sleep lock over read and flush because we rely on the
976 * stability of a record in the queue during uiomove(9).
977 */
978 if (AUDIT_PIPE_SX_XLOCK_SIG(ap) != 0)
979 return (EINTR);
980 AUDIT_PIPE_LOCK(ap);
981 while (TAILQ_EMPTY(&ap->ap_queue)) {
982 if (ap->ap_flags & AUDIT_PIPE_NBIO) {
983 AUDIT_PIPE_UNLOCK(ap);
984 AUDIT_PIPE_SX_XUNLOCK(ap);
985 return (EAGAIN);
986 }
987 error = cv_wait_sig(&ap->ap_cv, AUDIT_PIPE_MTX(ap));
988 if (error) {
989 AUDIT_PIPE_UNLOCK(ap);
990 AUDIT_PIPE_SX_XUNLOCK(ap);
991 return (error);
992 }
993 }
994
995 /*
996 * Copy as many remaining bytes from the current record to userspace
997 * as we can. Keep processing records until we run out of records in
998 * the queue, or until the user buffer runs out of space.
999 *
1000 * Note: we rely on the sleep lock to maintain ape's stability here.
1001 */
1002 ap->ap_reads++;
1003 while ((ape = TAILQ_FIRST(&ap->ap_queue)) != NULL &&
1004 uio_resid(uio) > 0) {
1005 AUDIT_PIPE_LOCK_ASSERT(ap);
1006
1007 KASSERT(ape->ape_record_len > ap->ap_qoffset,
1008 ("audit_pipe_read: record_len > qoffset (1)"));
1009 toread = MIN(ape->ape_record_len - ap->ap_qoffset,
1010 uio_resid(uio));
1011 AUDIT_PIPE_UNLOCK(ap);
1012 error = uiomove((char *)ape->ape_record + ap->ap_qoffset,
1013 toread, uio);
1014 if (error) {
1015 AUDIT_PIPE_SX_XUNLOCK(ap);
1016 return (error);
1017 }
1018
1019 /*
1020 * If the copy succeeded, update book-keeping, and if no
1021 * bytes remain in the current record, free it.
1022 */
1023 AUDIT_PIPE_LOCK(ap);
1024 KASSERT(TAILQ_FIRST(&ap->ap_queue) == ape,
1025 ("audit_pipe_read: queue out of sync after uiomove"));
1026 ap->ap_qoffset += toread;
1027 KASSERT(ape->ape_record_len >= ap->ap_qoffset,
1028 ("audit_pipe_read: record_len >= qoffset (2)"));
1029 if (ap->ap_qoffset == ape->ape_record_len) {
1030 TAILQ_REMOVE(&ap->ap_queue, ape, ape_queue);
1031 ap->ap_qbyteslen -= ape->ape_record_len;
1032 audit_pipe_entry_free(ape);
1033 ap->ap_qlen--;
1034 ap->ap_qoffset = 0;
1035 }
1036 }
1037 AUDIT_PIPE_UNLOCK(ap);
1038 AUDIT_PIPE_SX_XUNLOCK(ap);
1039 return (0);
1040 }
1041
1042 /*
1043 * Audit pipe poll.
1044 */
1045 static int
1046 audit_pipe_poll(dev_t dev, int events, void *wql, struct proc *p)
1047 {
1048 struct audit_pipe *ap;
1049 int revents;
1050
1051 revents = 0;
1052 ap = audit_pipe_dtab[minor(dev)];
1053 KASSERT(ap != NULL, ("audit_pipe_poll: ap == NULL"));
1054
1055 if (events & (POLLIN | POLLRDNORM)) {
1056 AUDIT_PIPE_LOCK(ap);
1057 if (TAILQ_FIRST(&ap->ap_queue) != NULL)
1058 revents |= events & (POLLIN | POLLRDNORM);
1059 else
1060 selrecord(p, &ap->ap_selinfo, wql);
1061 AUDIT_PIPE_UNLOCK(ap);
1062 }
1063 return (revents);
1064 }
1065
1066 #ifndef __APPLE__
1067 /*
1068 * Return true if there are records available for reading on the pipe.
1069 */
1070 static int
1071 audit_pipe_kqread(struct knote *kn, long hint)
1072 {
1073 struct audit_pipe *ap;
1074
1075 ap = (struct audit_pipe *)kn->kn_hook;
1076 KASSERT(ap != NULL, ("audit_pipe_kqread: ap == NULL"));
1077 AUDIT_PIPE_LOCK_ASSERT(ap);
1078
1079 if (ap->ap_qlen != 0) {
1080 kn->kn_data = ap->ap_qbyteslen - ap->ap_qoffset;
1081 return (1);
1082 } else {
1083 kn->kn_data = 0;
1084 return (0);
1085 }
1086 }
1087
1088 /*
1089 * Detach kqueue state from audit pipe.
1090 */
1091 static void
1092 audit_pipe_kqdetach(struct knote *kn)
1093 {
1094 struct audit_pipe *ap;
1095
1096 ap = (struct audit_pipe *)kn->kn_hook;
1097 KASSERT(ap != NULL, ("audit_pipe_kqdetach: ap == NULL"));
1098
1099 AUDIT_PIPE_LOCK(ap);
1100 knlist_remove(&ap->ap_selinfo.si_note, kn, 1);
1101 AUDIT_PIPE_UNLOCK(ap);
1102 }
1103 #endif /* !__APPLE__ */
1104
1105 static void *devnode;
1106
1107 int
1108 audit_pipe_init(void)
1109 {
1110 dev_t dev;
1111
1112 TAILQ_INIT(&audit_pipe_list);
1113 AUDIT_PIPE_LIST_LOCK_INIT();
1114
1115 audit_pipe_major = cdevsw_add(-1, &audit_pipe_cdevsw);
1116 if (audit_pipe_major < 0)
1117 return (KERN_FAILURE);
1118
1119 dev = makedev(audit_pipe_major, 0);
1120 devnode = devfs_make_node_clone(dev, DEVFS_CHAR, UID_ROOT, GID_WHEEL,
1121 0600, audit_pipe_clone, "auditpipe", 0);
1122
1123 if (devnode == NULL)
1124 return (KERN_FAILURE);
1125
1126 return (KERN_SUCCESS);
1127 }
1128
1129 int
1130 audit_pipe_shutdown(void)
1131 {
1132
1133 /* unwind everything */
1134 devfs_remove(devnode);
1135 (void) cdevsw_remove(audit_pipe_major, &audit_pipe_cdevsw);
1136
1137 return (KERN_SUCCESS);
1138 }
1139
1140 #endif /* CONFIG_AUDIT */
mirror of XNU