2 * Copyright (c) 2006 Robert N. M. Watson
3 * Copyright (c) 2008-2009 Apple, Inc.
6 * This software was developed by Robert Watson for the TrustedBSD Project.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 #include <sys/param.h>
32 #include <sys/systm.h>
33 #include <sys/kernel.h>
34 #include <sys/fcntl.h>
38 #include <sys/signalvar.h>
39 #include <miscfs/devfs/devfs.h>
41 #include <bsm/audit.h>
42 #include <security/audit/audit.h>
43 #include <security/audit/audit_ioctl.h>
44 #include <security/audit/audit_bsd.h>
45 #include <security/audit/audit_private.h>
49 * Implementation of a clonable special device providing a live stream of BSM
50 * audit data. Consumers receive a "tee" of the system audit trail by
51 * default, but may also define alternative event selections using ioctls.
52 * This interface provides unreliable but timely access to audit events.
53 * Consumers should be very careful to avoid introducing event cycles.
59 static MALLOC_DEFINE(M_AUDIT_PIPE
, "audit_pipe", "Audit pipes");
60 static MALLOC_DEFINE(M_AUDIT_PIPE_ENTRY
, "audit_pipeent",
61 "Audit pipe entries and buffers");
62 static MALLOC_DEFINE(M_AUDIT_PIPE_PRESELECT
, "audit_pipe_presel",
63 "Audit pipe preselection structure");
66 * Audit pipe buffer parameters.
68 #define AUDIT_PIPE_QLIMIT_DEFAULT (128)
69 #define AUDIT_PIPE_QLIMIT_MIN (1)
70 #define AUDIT_PIPE_QLIMIT_MAX (1024)
73 * Description of an entry in an audit_pipe.
75 struct audit_pipe_entry
{
78 TAILQ_ENTRY(audit_pipe_entry
) ape_queue
;
82 * Audit pipes allow processes to express "interest" in the set of records
83 * that are delivered via the pipe. They do this in a similar manner to the
84 * mechanism for audit trail configuration, by expressing two global masks,
85 * and optionally expressing per-auid masks. The following data structure is
86 * the per-auid mask description. The global state is stored in the audit
87 * pipe data structure.
89 * We may want to consider a more space/time-efficient data structure once
90 * usage patterns for per-auid specifications are clear.
92 struct audit_pipe_preselect
{
95 TAILQ_ENTRY(audit_pipe_preselect
) app_list
;
99 * Description of an individual audit_pipe. Consists largely of a bounded
102 #define AUDIT_PIPE_ASYNC 0x00000001
103 #define AUDIT_PIPE_NBIO 0x00000002
105 int ap_open
; /* Device open? */
108 struct selinfo ap_selinfo
;
112 * Per-pipe mutex protecting most fields in this data structure.
117 * Per-pipe sleep lock serializing user-generated reads and flushes.
118 * uiomove() is called to copy out the current head record's data
119 * while the record remains in the queue, so we prevent other threads
120 * from removing it using this lock.
125 * Condition variable to signal when data has been delivered to a
131 * Various queue-related variables: qlen and qlimit are a count of
132 * records in the queue; qbyteslen is the number of bytes of data
133 * across all records, and qoffset is the amount read so far of the
134 * first record in the queue. The number of bytes available for
135 * reading in the queue is qbyteslen - qoffset.
143 * Per-pipe operation statistics.
145 u_int64_t ap_inserts
; /* Records added. */
146 u_int64_t ap_reads
; /* Records read. */
147 u_int64_t ap_drops
; /* Records dropped. */
150 * Fields relating to pipe interest: global masks for unmatched
151 * processes (attributable, non-attributable), and a list of specific
152 * interest specifications by auid.
154 int ap_preselect_mode
;
155 au_mask_t ap_preselect_flags
;
156 au_mask_t ap_preselect_naflags
;
157 TAILQ_HEAD(, audit_pipe_preselect
) ap_preselect_list
;
160 * Current pending record list. Protected by a combination of ap_mtx
161 * and ap_sx. Note particularly that *both* locks are required to
162 * remove a record from the head of the queue, as an in-progress read
163 * may sleep while copying and therefore cannot hold ap_mtx.
165 TAILQ_HEAD(, audit_pipe_entry
) ap_queue
;
170 TAILQ_ENTRY(audit_pipe
) ap_list
;
173 #define AUDIT_PIPE_LOCK(ap) mtx_lock(&(ap)->ap_mtx)
174 #define AUDIT_PIPE_LOCK_ASSERT(ap) mtx_assert(&(ap)->ap_mtx, MA_OWNED)
175 #define AUDIT_PIPE_LOCK_DESTROY(ap) mtx_destroy(&(ap)->ap_mtx)
176 #define AUDIT_PIPE_LOCK_INIT(ap) mtx_init(&(ap)->ap_mtx, \
177 "audit_pipe_mtx", NULL, MTX_DEF)
178 #define AUDIT_PIPE_UNLOCK(ap) mtx_unlock(&(ap)->ap_mtx)
179 #define AUDIT_PIPE_MTX(ap) (&(ap)->ap_mtx)
181 #define AUDIT_PIPE_SX_LOCK_DESTROY(ap) slck_destroy(&(ap)->ap_sx)
182 #define AUDIT_PIPE_SX_LOCK_INIT(ap) slck_init(&(ap)->ap_sx, "audit_pipe_sx")
183 #define AUDIT_PIPE_SX_XLOCK_ASSERT(ap) slck_assert(&(ap)->ap_sx, SA_XLOCKED)
184 #define AUDIT_PIPE_SX_XLOCK_SIG(ap) slck_lock_sig(&(ap)->ap_sx)
185 #define AUDIT_PIPE_SX_XUNLOCK(ap) slck_unlock(&(ap)->ap_sx)
189 * Global list of audit pipes, rwlock to protect it. Individual record
190 * queues on pipes are protected by per-pipe locks; these locks synchronize
191 * between threads walking the list to deliver to individual pipes and add/
192 * remove of pipes, and are mostly acquired for read.
194 static TAILQ_HEAD(, audit_pipe
) audit_pipe_list
;
195 static struct rwlock audit_pipe_lock
;
197 #define AUDIT_PIPE_LIST_LOCK_INIT() rw_init(&audit_pipe_lock, \
198 "audit_pipe_list_lock")
199 #define AUDIT_PIPE_LIST_RLOCK() rw_rlock(&audit_pipe_lock)
200 #define AUDIT_PIPE_LIST_RUNLOCK() rw_runlock(&audit_pipe_lock)
201 #define AUDIT_PIPE_LIST_WLOCK() rw_wlock(&audit_pipe_lock)
202 #define AUDIT_PIPE_LIST_WLOCK_ASSERT() rw_assert(&audit_pipe_lock, \
204 #define AUDIT_PIPE_LIST_WUNLOCK() rw_wunlock(&audit_pipe_lock)
207 * Cloning related variables and constants.
209 #define AUDIT_PIPE_NAME "auditpipe"
210 #define MAX_AUDIT_PIPES 32
211 static int audit_pipe_major
;
214 * dev_t doesn't have a pointer for "softc" data. So we have to keep track of
215 * it with the following global array (indexed by the minor number).
217 * XXX We may want to dynamically grow this as needed.
219 static struct audit_pipe
*audit_pipe_dtab
[MAX_AUDIT_PIPES
];
223 * Special device methods and definition.
225 static open_close_fcn_t audit_pipe_open
;
226 static open_close_fcn_t audit_pipe_close
;
227 static read_write_fcn_t audit_pipe_read
;
228 static ioctl_fcn_t audit_pipe_ioctl
;
229 static select_fcn_t audit_pipe_poll
;
231 static struct cdevsw audit_pipe_cdevsw
= {
232 .d_open
= audit_pipe_open
,
233 .d_close
= audit_pipe_close
,
234 .d_read
= audit_pipe_read
,
235 .d_write
= eno_rdwrt
,
236 .d_ioctl
= audit_pipe_ioctl
,
238 .d_reset
= eno_reset
,
240 .d_select
= audit_pipe_poll
,
242 .d_strategy
= eno_strat
,
247 * Some global statistics on audit pipes.
249 static int audit_pipe_count
; /* Current number of pipes. */
250 static u_int64_t audit_pipe_ever
; /* Pipes ever allocated. */
251 static u_int64_t audit_pipe_records
; /* Records seen. */
252 static u_int64_t audit_pipe_drops
; /* Global record drop count. */
255 * Free an audit pipe entry.
258 audit_pipe_entry_free(struct audit_pipe_entry
*ape
)
260 free(ape
->ape_record
, M_AUDIT_PIPE_ENTRY
);
261 free(ape
, M_AUDIT_PIPE_ENTRY
);
265 * Find an audit pipe preselection specification for an auid, if any.
267 static struct audit_pipe_preselect
*
268 audit_pipe_preselect_find(struct audit_pipe
*ap
, au_id_t auid
)
270 struct audit_pipe_preselect
*app
;
272 AUDIT_PIPE_LOCK_ASSERT(ap
);
274 TAILQ_FOREACH(app
, &ap
->ap_preselect_list
, app_list
) {
275 if (app
->app_auid
== auid
) {
283 * Query the per-pipe mask for a specific auid.
286 audit_pipe_preselect_get(struct audit_pipe
*ap
, au_id_t auid
,
289 struct audit_pipe_preselect
*app
;
293 app
= audit_pipe_preselect_find(ap
, auid
);
295 *maskp
= app
->app_mask
;
300 AUDIT_PIPE_UNLOCK(ap
);
305 * Set the per-pipe mask for a specific auid. Add a new entry if needed;
306 * otherwise, update the current entry.
309 audit_pipe_preselect_set(struct audit_pipe
*ap
, au_id_t auid
, au_mask_t mask
)
311 struct audit_pipe_preselect
*app
, *app_new
;
314 * Pessimistically assume that the auid doesn't already have a mask
315 * set, and allocate. We will free it if it is unneeded.
317 app_new
= malloc(sizeof(*app_new
), M_AUDIT_PIPE_PRESELECT
, M_WAITOK
);
319 app
= audit_pipe_preselect_find(ap
, auid
);
323 app
->app_auid
= auid
;
324 TAILQ_INSERT_TAIL(&ap
->ap_preselect_list
, app
, app_list
);
326 app
->app_mask
= mask
;
327 AUDIT_PIPE_UNLOCK(ap
);
328 if (app_new
!= NULL
) {
329 free(app_new
, M_AUDIT_PIPE_PRESELECT
);
334 * Delete a per-auid mask on an audit pipe.
337 audit_pipe_preselect_delete(struct audit_pipe
*ap
, au_id_t auid
)
339 struct audit_pipe_preselect
*app
;
343 app
= audit_pipe_preselect_find(ap
, auid
);
345 TAILQ_REMOVE(&ap
->ap_preselect_list
, app
, app_list
);
350 AUDIT_PIPE_UNLOCK(ap
);
352 free(app
, M_AUDIT_PIPE_PRESELECT
);
358 * Delete all per-auid masks on an audit pipe.
361 audit_pipe_preselect_flush_locked(struct audit_pipe
*ap
)
363 struct audit_pipe_preselect
*app
;
365 AUDIT_PIPE_LOCK_ASSERT(ap
);
367 while ((app
= TAILQ_FIRST(&ap
->ap_preselect_list
)) != NULL
) {
368 TAILQ_REMOVE(&ap
->ap_preselect_list
, app
, app_list
);
369 free(app
, M_AUDIT_PIPE_PRESELECT
);
374 audit_pipe_preselect_flush(struct audit_pipe
*ap
)
377 audit_pipe_preselect_flush_locked(ap
);
378 AUDIT_PIPE_UNLOCK(ap
);
382 * Determine whether a specific audit pipe matches a record with these
383 * properties. Algorithm is as follows:
385 * - If the pipe is configured to track the default trail configuration, then
386 * use the results of global preselection matching.
387 * - If not, search for a specifically configured auid entry matching the
388 * event. If an entry is found, use that.
389 * - Otherwise, use the default flags or naflags configured for the pipe.
392 audit_pipe_preselect_check(struct audit_pipe
*ap
, au_id_t auid
,
393 au_event_t event
, au_class_t
class, int sorf
, int trail_preselect
)
395 struct audit_pipe_preselect
*app
;
397 AUDIT_PIPE_LOCK_ASSERT(ap
);
399 switch (ap
->ap_preselect_mode
) {
400 case AUDITPIPE_PRESELECT_MODE_TRAIL
:
401 return trail_preselect
;
403 case AUDITPIPE_PRESELECT_MODE_LOCAL
:
404 app
= audit_pipe_preselect_find(ap
, auid
);
406 if (auid
== (uid_t
)AU_DEFAUDITID
) {
407 return au_preselect(event
, class,
408 &ap
->ap_preselect_naflags
, sorf
);
410 return au_preselect(event
, class,
411 &ap
->ap_preselect_flags
, sorf
);
414 return au_preselect(event
, class, &app
->app_mask
,
419 panic("audit_pipe_preselect_check: mode %d",
420 ap
->ap_preselect_mode
);
427 * Determine whether there exists a pipe interested in a record with specific
431 audit_pipe_preselect(au_id_t auid
, au_event_t event
, au_class_t
class,
432 int sorf
, int trail_preselect
)
434 struct audit_pipe
*ap
;
436 /* Lockless read to avoid acquiring the global lock if not needed. */
437 if (TAILQ_EMPTY(&audit_pipe_list
)) {
441 AUDIT_PIPE_LIST_RLOCK();
442 TAILQ_FOREACH(ap
, &audit_pipe_list
, ap_list
) {
444 if (audit_pipe_preselect_check(ap
, auid
, event
, class, sorf
,
446 AUDIT_PIPE_UNLOCK(ap
);
447 AUDIT_PIPE_LIST_RUNLOCK();
450 AUDIT_PIPE_UNLOCK(ap
);
452 AUDIT_PIPE_LIST_RUNLOCK();
457 * Append individual record to a queue -- allocate queue-local buffer, and
458 * add to the queue. If the queue is full or we can't allocate memory, drop
462 audit_pipe_append(struct audit_pipe
*ap
, void *record
, u_int record_len
)
464 struct audit_pipe_entry
*ape
;
466 AUDIT_PIPE_LOCK_ASSERT(ap
);
468 if (ap
->ap_qlen
>= ap
->ap_qlimit
) {
474 ape
= malloc(sizeof(*ape
), M_AUDIT_PIPE_ENTRY
, M_NOWAIT
| M_ZERO
);
481 ape
->ape_record
= malloc(record_len
, M_AUDIT_PIPE_ENTRY
, M_NOWAIT
);
482 if (ape
->ape_record
== NULL
) {
483 free(ape
, M_AUDIT_PIPE_ENTRY
);
489 bcopy(record
, ape
->ape_record
, record_len
);
490 ape
->ape_record_len
= record_len
;
492 TAILQ_INSERT_TAIL(&ap
->ap_queue
, ape
, ape_queue
);
495 ap
->ap_qbyteslen
+= ape
->ape_record_len
;
496 selwakeup(&ap
->ap_selinfo
);
497 if (ap
->ap_flags
& AUDIT_PIPE_ASYNC
) {
498 pgsigio(ap
->ap_sigio
, SIGIO
);
500 #if 0 /* XXX - fix select */
501 selwakeuppri(&ap
->ap_selinfo
, PSOCK
);
502 KNOTE_LOCKED(&ap
->ap_selinfo
.si_note
, 0);
503 if (ap
->ap_flags
& AUDIT_PIPE_ASYNC
) {
504 pgsigio(&ap
->ap_sigio
, SIGIO
, 0);
507 cv_broadcast(&ap
->ap_cv
);
511 * audit_pipe_submit(): audit_worker submits audit records via this
512 * interface, which arranges for them to be delivered to pipe queues.
515 audit_pipe_submit(au_id_t auid
, au_event_t event
, au_class_t
class, int sorf
,
516 int trail_select
, void *record
, u_int record_len
)
518 struct audit_pipe
*ap
;
521 * Lockless read to avoid lock overhead if pipes are not in use.
523 if (TAILQ_FIRST(&audit_pipe_list
) == NULL
) {
527 AUDIT_PIPE_LIST_RLOCK();
528 TAILQ_FOREACH(ap
, &audit_pipe_list
, ap_list
) {
530 if (audit_pipe_preselect_check(ap
, auid
, event
, class, sorf
,
532 audit_pipe_append(ap
, record
, record_len
);
534 AUDIT_PIPE_UNLOCK(ap
);
536 AUDIT_PIPE_LIST_RUNLOCK();
538 /* Unlocked increment. */
539 audit_pipe_records
++;
543 * audit_pipe_submit_user(): the same as audit_pipe_submit(), except that
544 * since we don't currently have selection information available, it is
545 * delivered to the pipe unconditionally.
547 * XXXRW: This is a bug. The BSM check routine for submitting a user record
548 * should parse that information and return it.
551 audit_pipe_submit_user(void *record
, u_int record_len
)
553 struct audit_pipe
*ap
;
556 * Lockless read to avoid lock overhead if pipes are not in use.
558 if (TAILQ_FIRST(&audit_pipe_list
) == NULL
) {
562 AUDIT_PIPE_LIST_RLOCK();
563 TAILQ_FOREACH(ap
, &audit_pipe_list
, ap_list
) {
565 audit_pipe_append(ap
, record
, record_len
);
566 AUDIT_PIPE_UNLOCK(ap
);
568 AUDIT_PIPE_LIST_RUNLOCK();
570 /* Unlocked increment. */
571 audit_pipe_records
++;
575 * Allocate a new audit pipe. Connects the pipe, on success, to the global
576 * list and updates statistics.
578 static struct audit_pipe
*
579 audit_pipe_alloc(void)
581 struct audit_pipe
*ap
;
583 AUDIT_PIPE_LIST_WLOCK_ASSERT();
585 ap
= malloc(sizeof(*ap
), M_AUDIT_PIPE
, M_WAITOK
| M_ZERO
);
590 ap
->ap_qlimit
= AUDIT_PIPE_QLIMIT_DEFAULT
;
591 TAILQ_INIT(&ap
->ap_queue
);
593 knlist_init(&ap
->ap_selinfo
.si_note
, AUDIT_PIPE_MTX(ap
), NULL
, NULL
,
596 AUDIT_PIPE_LOCK_INIT(ap
);
597 AUDIT_PIPE_SX_LOCK_INIT(ap
);
598 cv_init(&ap
->ap_cv
, "audit_pipe");
601 * Default flags, naflags, and auid-specific preselection settings to
602 * 0. Initialize the mode to the global trail so that if praudit(1)
603 * is run on /dev/auditpipe, it sees events associated with the
604 * default trail. Pipe-aware application can clear the flag, set
605 * custom masks, and flush the pipe as needed.
607 bzero(&ap
->ap_preselect_flags
, sizeof(ap
->ap_preselect_flags
));
608 bzero(&ap
->ap_preselect_naflags
, sizeof(ap
->ap_preselect_naflags
));
609 TAILQ_INIT(&ap
->ap_preselect_list
);
610 ap
->ap_preselect_mode
= AUDITPIPE_PRESELECT_MODE_TRAIL
;
613 * Add to global list and update global statistics.
615 TAILQ_INSERT_HEAD(&audit_pipe_list
, ap
, ap_list
);
623 * Flush all records currently present in an audit pipe; assume mutex is held.
626 audit_pipe_flush(struct audit_pipe
*ap
)
628 struct audit_pipe_entry
*ape
;
630 AUDIT_PIPE_LOCK_ASSERT(ap
);
632 while ((ape
= TAILQ_FIRST(&ap
->ap_queue
)) != NULL
) {
633 TAILQ_REMOVE(&ap
->ap_queue
, ape
, ape_queue
);
634 ap
->ap_qbyteslen
-= ape
->ape_record_len
;
635 audit_pipe_entry_free(ape
);
640 KASSERT(ap
->ap_qlen
== 0, ("audit_pipe_free: ap_qbyteslen"));
641 KASSERT(ap
->ap_qbyteslen
== 0, ("audit_pipe_flush: ap_qbyteslen"));
645 * Free an audit pipe; this means freeing all preselection state and all
646 * records in the pipe. Assumes global write lock and pipe mutex are held to
647 * revent any new records from being inserted during the free, and that the
648 * audit pipe is still on the global list.
651 audit_pipe_free(struct audit_pipe
*ap
)
653 AUDIT_PIPE_LIST_WLOCK_ASSERT();
654 AUDIT_PIPE_LOCK_ASSERT(ap
);
656 audit_pipe_preselect_flush_locked(ap
);
657 audit_pipe_flush(ap
);
658 cv_destroy(&ap
->ap_cv
);
659 AUDIT_PIPE_SX_LOCK_DESTROY(ap
);
660 AUDIT_PIPE_UNLOCK(ap
);
661 AUDIT_PIPE_LOCK_DESTROY(ap
);
663 knlist_destroy(&ap
->ap_selinfo
.si_note
);
665 TAILQ_REMOVE(&audit_pipe_list
, ap
, ap_list
);
666 free(ap
, M_AUDIT_PIPE
);
671 * Audit pipe clone routine -- provides a new minor number, or to return (-1),
672 * if one can't be provided. Called with DEVFS_LOCK held.
675 audit_pipe_clone(__unused dev_t dev
, int action
)
679 if (action
== DEVFS_CLONE_ALLOC
) {
680 for (i
= 0; i
< MAX_AUDIT_PIPES
; i
++) {
681 if (audit_pipe_dtab
[i
] == NULL
) {
687 * XXX Should really return -1 here but that seems to hang
688 * things in devfs. Instead return 0 and let _open() tell
689 * userland the bad news.
698 * Audit pipe open method. Explicit privilege check isn't used as this
699 * allows file permissions on the special device to be used to grant audit
700 * review access. Those file permissions should be managed carefully.
703 audit_pipe_open(dev_t dev
, __unused
int flags
, __unused
int devtype
,
706 struct audit_pipe
*ap
;
710 if (u
< 0 || u
>= MAX_AUDIT_PIPES
) {
714 AUDIT_PIPE_LIST_WLOCK();
715 ap
= audit_pipe_dtab
[u
];
717 ap
= audit_pipe_alloc();
719 AUDIT_PIPE_LIST_WUNLOCK();
722 audit_pipe_dtab
[u
] = ap
;
724 KASSERT(ap
->ap_open
, ("audit_pipe_open: ap && !ap_open"));
725 AUDIT_PIPE_LIST_WUNLOCK();
729 AUDIT_PIPE_LIST_WUNLOCK();
731 fsetown(td
->td_proc
->p_pid
, &ap
->ap_sigio
);
737 * Close audit pipe, tear down all records, etc.
740 audit_pipe_close(dev_t dev
, __unused
int flags
, __unused
int devtype
,
743 struct audit_pipe
*ap
;
747 ap
= audit_pipe_dtab
[u
];
748 KASSERT(ap
!= NULL
, ("audit_pipe_close: ap == NULL"));
749 KASSERT(ap
->ap_open
, ("audit_pipe_close: !ap_open"));
752 funsetown(&ap
->ap_sigio
);
754 AUDIT_PIPE_LIST_WLOCK();
758 audit_pipe_dtab
[u
] = NULL
;
759 AUDIT_PIPE_LIST_WUNLOCK();
764 * Audit pipe ioctl() routine. Handle file descriptor and audit pipe layer
768 audit_pipe_ioctl(dev_t dev
, u_long cmd
, caddr_t data
,
769 __unused
int flag
, __unused proc_t p
)
771 struct auditpipe_ioctl_preselect
*aip
;
772 struct audit_pipe
*ap
;
777 ap
= audit_pipe_dtab
[minor(dev
)];
778 KASSERT(ap
!= NULL
, ("audit_pipe_ioctl: ap == NULL"));
781 * Audit pipe ioctls: first come standard device node ioctls, then
782 * manipulation of pipe settings, and finally, statistics query
789 ap
->ap_flags
|= AUDIT_PIPE_NBIO
;
791 ap
->ap_flags
&= ~AUDIT_PIPE_NBIO
;
793 AUDIT_PIPE_UNLOCK(ap
);
799 *(int *)data
= ap
->ap_qbyteslen
- ap
->ap_qoffset
;
800 AUDIT_PIPE_UNLOCK(ap
);
807 ap
->ap_flags
|= AUDIT_PIPE_ASYNC
;
809 ap
->ap_flags
&= ~AUDIT_PIPE_ASYNC
;
811 AUDIT_PIPE_UNLOCK(ap
);
817 error
= fsetown(*(int *)data
, &ap
->ap_sigio
);
821 *(int *)data
= fgetown(&ap
->ap_sigio
);
824 #endif /* !__APPLE__ */
826 case AUDITPIPE_GET_QLEN
:
827 *(u_int
*)data
= ap
->ap_qlen
;
831 case AUDITPIPE_GET_QLIMIT
:
832 *(u_int
*)data
= ap
->ap_qlimit
;
836 case AUDITPIPE_SET_QLIMIT
:
837 /* Lockless integer write. */
838 if (*(u_int
*)data
>= AUDIT_PIPE_QLIMIT_MIN
||
839 *(u_int
*)data
<= AUDIT_PIPE_QLIMIT_MAX
) {
840 ap
->ap_qlimit
= *(u_int
*)data
;
847 case AUDITPIPE_GET_QLIMIT_MIN
:
848 *(u_int
*)data
= AUDIT_PIPE_QLIMIT_MIN
;
852 case AUDITPIPE_GET_QLIMIT_MAX
:
853 *(u_int
*)data
= AUDIT_PIPE_QLIMIT_MAX
;
857 case AUDITPIPE_GET_PRESELECT_FLAGS
:
859 maskp
= (au_mask_t
*)data
;
860 *maskp
= ap
->ap_preselect_flags
;
861 AUDIT_PIPE_UNLOCK(ap
);
865 case AUDITPIPE_SET_PRESELECT_FLAGS
:
867 maskp
= (au_mask_t
*)data
;
868 ap
->ap_preselect_flags
= *maskp
;
869 AUDIT_CHECK_IF_KEVENTS_MASK(ap
->ap_preselect_flags
);
870 AUDIT_PIPE_UNLOCK(ap
);
874 case AUDITPIPE_GET_PRESELECT_NAFLAGS
:
876 maskp
= (au_mask_t
*)data
;
877 *maskp
= ap
->ap_preselect_naflags
;
878 AUDIT_PIPE_UNLOCK(ap
);
882 case AUDITPIPE_SET_PRESELECT_NAFLAGS
:
884 maskp
= (au_mask_t
*)data
;
885 ap
->ap_preselect_naflags
= *maskp
;
886 AUDIT_CHECK_IF_KEVENTS_MASK(ap
->ap_preselect_naflags
);
887 AUDIT_PIPE_UNLOCK(ap
);
891 case AUDITPIPE_GET_PRESELECT_AUID
:
892 aip
= (struct auditpipe_ioctl_preselect
*)data
;
893 error
= audit_pipe_preselect_get(ap
, aip
->aip_auid
,
897 case AUDITPIPE_SET_PRESELECT_AUID
:
898 aip
= (struct auditpipe_ioctl_preselect
*)data
;
899 audit_pipe_preselect_set(ap
, aip
->aip_auid
, aip
->aip_mask
);
903 case AUDITPIPE_DELETE_PRESELECT_AUID
:
904 auid
= *(au_id_t
*)data
;
905 error
= audit_pipe_preselect_delete(ap
, auid
);
908 case AUDITPIPE_FLUSH_PRESELECT_AUID
:
909 audit_pipe_preselect_flush(ap
);
913 case AUDITPIPE_GET_PRESELECT_MODE
:
915 *(int *)data
= ap
->ap_preselect_mode
;
916 AUDIT_PIPE_UNLOCK(ap
);
920 case AUDITPIPE_SET_PRESELECT_MODE
:
923 case AUDITPIPE_PRESELECT_MODE_TRAIL
:
924 case AUDITPIPE_PRESELECT_MODE_LOCAL
:
926 ap
->ap_preselect_mode
= mode
;
927 AUDIT_PIPE_UNLOCK(ap
);
936 case AUDITPIPE_FLUSH
:
937 if (AUDIT_PIPE_SX_XLOCK_SIG(ap
) != 0) {
941 audit_pipe_flush(ap
);
942 AUDIT_PIPE_UNLOCK(ap
);
943 AUDIT_PIPE_SX_XUNLOCK(ap
);
947 case AUDITPIPE_GET_MAXAUDITDATA
:
948 *(u_int
*)data
= MAXAUDITDATA
;
952 case AUDITPIPE_GET_INSERTS
:
953 *(u_int
*)data
= ap
->ap_inserts
;
957 case AUDITPIPE_GET_READS
:
958 *(u_int
*)data
= ap
->ap_reads
;
962 case AUDITPIPE_GET_DROPS
:
963 *(u_int
*)data
= ap
->ap_drops
;
967 case AUDITPIPE_GET_TRUNCATES
:
979 * Audit pipe read. Read one or more partial or complete records to user
983 audit_pipe_read(dev_t dev
, struct uio
*uio
, __unused
int flag
)
985 struct audit_pipe_entry
*ape
;
986 struct audit_pipe
*ap
;
990 ap
= audit_pipe_dtab
[minor(dev
)];
991 KASSERT(ap
!= NULL
, ("audit_pipe_read: ap == NULL"));
994 * We hold an sleep lock over read and flush because we rely on the
995 * stability of a record in the queue during uiomove(9).
997 if (AUDIT_PIPE_SX_XLOCK_SIG(ap
) != 0) {
1000 AUDIT_PIPE_LOCK(ap
);
1001 while (TAILQ_EMPTY(&ap
->ap_queue
)) {
1002 if (ap
->ap_flags
& AUDIT_PIPE_NBIO
) {
1003 AUDIT_PIPE_UNLOCK(ap
);
1004 AUDIT_PIPE_SX_XUNLOCK(ap
);
1007 error
= cv_wait_sig(&ap
->ap_cv
, AUDIT_PIPE_MTX(ap
));
1009 AUDIT_PIPE_UNLOCK(ap
);
1010 AUDIT_PIPE_SX_XUNLOCK(ap
);
1016 * Copy as many remaining bytes from the current record to userspace
1017 * as we can. Keep processing records until we run out of records in
1018 * the queue, or until the user buffer runs out of space.
1020 * Note: we rely on the sleep lock to maintain ape's stability here.
1023 while ((ape
= TAILQ_FIRST(&ap
->ap_queue
)) != NULL
&&
1024 uio_resid(uio
) > 0) {
1025 AUDIT_PIPE_LOCK_ASSERT(ap
);
1027 KASSERT(ape
->ape_record_len
> ap
->ap_qoffset
,
1028 ("audit_pipe_read: record_len > qoffset (1)"));
1029 toread
= MIN((int)(ape
->ape_record_len
- ap
->ap_qoffset
),
1031 AUDIT_PIPE_UNLOCK(ap
);
1032 error
= uiomove((char *)ape
->ape_record
+ ap
->ap_qoffset
,
1035 AUDIT_PIPE_SX_XUNLOCK(ap
);
1040 * If the copy succeeded, update book-keeping, and if no
1041 * bytes remain in the current record, free it.
1043 AUDIT_PIPE_LOCK(ap
);
1044 KASSERT(TAILQ_FIRST(&ap
->ap_queue
) == ape
,
1045 ("audit_pipe_read: queue out of sync after uiomove"));
1046 ap
->ap_qoffset
+= toread
;
1047 KASSERT(ape
->ape_record_len
>= ap
->ap_qoffset
,
1048 ("audit_pipe_read: record_len >= qoffset (2)"));
1049 if (ap
->ap_qoffset
== ape
->ape_record_len
) {
1050 TAILQ_REMOVE(&ap
->ap_queue
, ape
, ape_queue
);
1051 ap
->ap_qbyteslen
-= ape
->ape_record_len
;
1052 audit_pipe_entry_free(ape
);
1057 AUDIT_PIPE_UNLOCK(ap
);
1058 AUDIT_PIPE_SX_XUNLOCK(ap
);
1066 audit_pipe_poll(dev_t dev
, int events
, void *wql
, struct proc
*p
)
1068 struct audit_pipe
*ap
;
1072 ap
= audit_pipe_dtab
[minor(dev
)];
1073 KASSERT(ap
!= NULL
, ("audit_pipe_poll: ap == NULL"));
1075 if (events
& (POLLIN
| POLLRDNORM
)) {
1076 AUDIT_PIPE_LOCK(ap
);
1077 if (TAILQ_FIRST(&ap
->ap_queue
) != NULL
) {
1078 revents
|= events
& (POLLIN
| POLLRDNORM
);
1080 selrecord(p
, &ap
->ap_selinfo
, wql
);
1082 AUDIT_PIPE_UNLOCK(ap
);
1087 static void *devnode
;
1090 audit_pipe_init(void)
1094 TAILQ_INIT(&audit_pipe_list
);
1095 AUDIT_PIPE_LIST_LOCK_INIT();
1097 audit_pipe_major
= cdevsw_add(-1, &audit_pipe_cdevsw
);
1098 if (audit_pipe_major
< 0) {
1099 return KERN_FAILURE
;
1102 dev
= makedev(audit_pipe_major
, 0);
1103 devnode
= devfs_make_node_clone(dev
, DEVFS_CHAR
, UID_ROOT
, GID_WHEEL
,
1104 0600, audit_pipe_clone
, "auditpipe", 0);
1106 if (devnode
== NULL
) {
1107 return KERN_FAILURE
;
1110 return KERN_SUCCESS
;
1114 audit_pipe_shutdown(void)
1116 /* unwind everything */
1117 devfs_remove(devnode
);
1118 (void) cdevsw_remove(audit_pipe_major
, &audit_pipe_cdevsw
);
1120 return KERN_SUCCESS
;
1123 #endif /* CONFIG_AUDIT */