]> git.saurik.com Git - apple/xnu.git/blob - bsd/security/audit/audit_worker.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-2782.1.97.tar.gz
[apple/xnu.git] / bsd / security / audit / audit_worker.c
1 /*-
2 * Copyright (c) 1999-2011 Apple Inc.
3 * Copyright (c) 2006-2008 Robert N. M. Watson
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
15 * its contributors may be used to endorse or promote products derived
16 * from this software without specific prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
22 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
26 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
27 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 * POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include <sys/param.h>
32 #include <sys/fcntl.h>
33 #include <sys/kernel.h>
34 #include <sys/lock.h>
35 #include <sys/namei.h>
36 #include <sys/proc_internal.h>
37 #include <sys/kauth.h>
38 #include <sys/queue.h>
39 #include <sys/systm.h>
40 #include <sys/time.h>
41 #include <sys/ucred.h>
42 #include <sys/uio.h>
43 #include <sys/unistd.h>
44 #include <sys/file_internal.h>
45 #include <sys/vnode_internal.h>
46 #include <sys/user.h>
47 #include <sys/syscall.h>
48 #include <sys/malloc.h>
49 #include <sys/un.h>
50 #include <sys/sysent.h>
51 #include <sys/sysproto.h>
52 #include <sys/vfs_context.h>
53 #include <sys/domain.h>
54 #include <sys/protosw.h>
55 #include <sys/socketvar.h>
56
57 #include <bsm/audit.h>
58 #include <bsm/audit_internal.h>
59 #include <bsm/audit_kevents.h>
60
61 #include <security/audit/audit.h>
62 #include <security/audit/audit_bsd.h>
63 #include <security/audit/audit_private.h>
64
65 #include <mach/host_priv.h>
66 #include <mach/host_special_ports.h>
67 #include <mach/audit_triggers_server.h>
68
69 #include <kern/host.h>
70 #include <kern/zalloc.h>
71 #include <kern/sched_prim.h>
72 #include <kern/task.h>
73 #include <kern/wait_queue.h>
74
75 #include <net/route.h>
76
77 #include <netinet/in.h>
78 #include <netinet/in_pcb.h>
79
80 /*
81 * Worker thread that will schedule disk I/O, etc.
82 */
83 static thread_t audit_thread;
84
85 /*
86 * audit_ctx and audit_vp are the stored credential and vnode to use for
87 * active audit trail. They are protected by audit_worker_sl, which will be
88 * held across all I/O and all rotation to prevent them from being replaced
89 * (rotated) while in use. The audit_file_rotate_wait flag is set when the
90 * kernel has delivered a trigger to auditd to rotate the trail, and is
91 * cleared when the next rotation takes place. It is also protected by
92 * audit_worker_sl.
93 */
94 static int audit_file_rotate_wait;
95 static struct slck audit_worker_sl;
96 static struct vfs_context audit_ctx;
97 static struct vnode *audit_vp;
98
99 #define AUDIT_WORKER_SX_INIT() slck_init(&audit_worker_sl, \
100 "audit_worker_sl")
101 #define AUDIT_WORKER_SX_XLOCK() slck_lock(&audit_worker_sl)
102 #define AUDIT_WORKER_SX_XUNLOCK() slck_unlock(&audit_worker_sl)
103 #define AUDIT_WORKER_SX_ASSERT() slck_assert(&audit_worker_sl, SL_OWNED)
104 #define AUDIT_WORKER_SX_DESTROY() slck_destroy(&audit_worker_sl)
105
106 /*
107 * The audit_q_draining flag is set when audit is disabled and the audit
108 * worker queue is being drained.
109 */
110 static int audit_q_draining;
111
112 /*
113 * The special kernel audit record, audit_drain_kar, is used to mark the end of
114 * the queue when draining it.
115 */
116 static struct kaudit_record audit_drain_kar = {
117 .k_ar = {
118 .ar_event = AUE_NULL,
119 },
120 .k_ar_commit = AR_DRAIN_QUEUE,
121 };
122
123 /*
124 * Write an audit record to a file, performed as the last stage after both
125 * preselection and BSM conversion. Both space management and write failures
126 * are handled in this function.
127 *
128 * No attempt is made to deal with possible failure to deliver a trigger to
129 * the audit daemon, since the message is asynchronous anyway.
130 */
131 static void
132 audit_record_write(struct vnode *vp, struct vfs_context *ctx, void *data,
133 size_t len)
134 {
135 static struct timeval last_lowspace_trigger;
136 static struct timeval last_fail;
137 static int cur_lowspace_trigger;
138 struct vfsstatfs *mnt_stat;
139 int error;
140 static int cur_fail;
141 uint64_t temp;
142 off_t file_size;
143
144 AUDIT_WORKER_SX_ASSERT(); /* audit_file_rotate_wait. */
145
146 if (vp == NULL)
147 return;
148
149 if (vnode_getwithref(vp))
150 return /*(ENOENT)*/;
151
152 mnt_stat = &vp->v_mount->mnt_vfsstat;
153
154 /*
155 * First, gather statistics on the audit log file and file system so
156 * that we know how we're doing on space. Consider failure of these
157 * operations to indicate a future inability to write to the file.
158 */
159 error = vfs_update_vfsstat(vp->v_mount, ctx, VFS_KERNEL_EVENT);
160 if (error)
161 goto fail;
162 error = vnode_size(vp, &file_size, ctx);
163 if (error)
164 goto fail;
165 audit_fstat.af_currsz = (u_quad_t)file_size;
166
167 /*
168 * We handle four different space-related limits:
169 *
170 * - A fixed (hard) limit on the minimum free blocks we require on
171 * the file system, and results in record loss, a trigger, and
172 * possible fail stop due to violating invariants.
173 *
174 * - An administrative (soft) limit, which when fallen below, results
175 * in the kernel notifying the audit daemon of low space.
176 *
177 * - An audit trail size limit, which when gone above, results in the
178 * kernel notifying the audit daemon that rotation is desired.
179 *
180 * - The total depth of the kernel audit record exceeding free space,
181 * which can lead to possible fail stop (with drain), in order to
182 * prevent violating invariants. Failure here doesn't halt
183 * immediately, but prevents new records from being generated.
184 *
185 * Possibly, the last of these should be handled differently, always
186 * allowing a full queue to be lost, rather than trying to prevent
187 * loss.
188 *
189 * First, handle the hard limit, which generates a trigger and may
190 * fail stop. This is handled in the same manner as ENOSPC from
191 * VOP_WRITE, and results in record loss.
192 */
193 if (mnt_stat->f_bfree < AUDIT_HARD_LIMIT_FREE_BLOCKS) {
194 error = ENOSPC;
195 goto fail_enospc;
196 }
197
198 /*
199 * Second, handle falling below the soft limit, if defined; we send
200 * the daemon a trigger and continue processing the record. Triggers
201 * are limited to 1/sec.
202 */
203 if (audit_qctrl.aq_minfree != 0) {
204 temp = mnt_stat->f_blocks / (100 / audit_qctrl.aq_minfree);
205 if (mnt_stat->f_bfree < temp &&
206 ppsratecheck(&last_lowspace_trigger,
207 &cur_lowspace_trigger, 1))
208 (void)audit_send_trigger(
209 AUDIT_TRIGGER_LOW_SPACE);
210 }
211
212 /*
213 * If the current file is getting full, generate a rotation trigger
214 * to the daemon. This is only approximate, which is fine as more
215 * records may be generated before the daemon rotates the file.
216 */
217 if ((audit_fstat.af_filesz != 0) && (audit_file_rotate_wait == 0) &&
218 ((u_quad_t)file_size >= audit_fstat.af_filesz)) {
219 AUDIT_WORKER_SX_ASSERT();
220
221 audit_file_rotate_wait = 1;
222 (void)audit_send_trigger(AUDIT_TRIGGER_ROTATE_KERNEL);
223 }
224
225 /*
226 * If the estimated amount of audit data in the audit event queue
227 * (plus records allocated but not yet queued) has reached the amount
228 * of free space on the disk, then we need to go into an audit fail
229 * stop state, in which we do not permit the allocation/committing of
230 * any new audit records. We continue to process records but don't
231 * allow any activities that might generate new records. In the
232 * future, we might want to detect when space is available again and
233 * allow operation to continue, but this behavior is sufficient to
234 * meet fail stop requirements in CAPP.
235 */
236 if (audit_fail_stop) {
237 if ((unsigned long)((audit_q_len + audit_pre_q_len + 1) *
238 MAX_AUDIT_RECORD_SIZE) / mnt_stat->f_bsize >=
239 (unsigned long)(mnt_stat->f_bfree)) {
240 if (ppsratecheck(&last_fail, &cur_fail, 1))
241 printf("audit_record_write: free space "
242 "below size of audit queue, failing "
243 "stop\n");
244 audit_in_failure = 1;
245 } else if (audit_in_failure) {
246 /*
247 * Note: if we want to handle recovery, this is the
248 * spot to do it: unset audit_in_failure, and issue a
249 * wakeup on the cv.
250 */
251 }
252 }
253
254 error = vn_rdwr(UIO_WRITE, vp, data, len, (off_t)0, UIO_SYSSPACE,
255 IO_APPEND|IO_UNIT, vfs_context_ucred(ctx), NULL,
256 vfs_context_proc(ctx));
257 if (error == ENOSPC)
258 goto fail_enospc;
259 else if (error)
260 goto fail;
261
262 /*
263 * Catch completion of a queue drain here; if we're draining and the
264 * queue is now empty, fail stop. That audit_fail_stop is implicitly
265 * true, since audit_in_failure can only be set of audit_fail_stop is
266 * set.
267 *
268 * Note: if we handle recovery from audit_in_failure, then we need to
269 * make panic here conditional.
270 */
271 if (audit_in_failure) {
272 if (audit_q_len == 0 && audit_pre_q_len == 0) {
273 (void)VNOP_FSYNC(vp, MNT_WAIT, ctx);
274 panic("Audit store overflow; record queue drained.");
275 }
276 }
277
278 vnode_put(vp);
279 return;
280
281 fail_enospc:
282 /*
283 * ENOSPC is considered a special case with respect to failures, as
284 * this can reflect either our preemptive detection of insufficient
285 * space, or ENOSPC returned by the vnode write call.
286 */
287 if (audit_fail_stop) {
288 (void)VNOP_FSYNC(vp, MNT_WAIT, ctx);
289 panic("Audit log space exhausted and fail-stop set.");
290 }
291 (void)audit_send_trigger(AUDIT_TRIGGER_NO_SPACE);
292 audit_suspended = 1;
293
294 /* FALLTHROUGH */
295 fail:
296 /*
297 * We have failed to write to the file, so the current record is
298 * lost, which may require an immediate system halt.
299 */
300 if (audit_panic_on_write_fail) {
301 (void)VNOP_FSYNC(vp, MNT_WAIT, ctx);
302 panic("audit_worker: write error %d\n", error);
303 } else if (ppsratecheck(&last_fail, &cur_fail, 1))
304 printf("audit_worker: write error %d\n", error);
305 vnode_put(vp);
306 }
307
308 /*
309 * Given a kernel audit record, process as required. Kernel audit records
310 * are converted to one, or possibly two, BSM records, depending on whether
311 * there is a user audit record present also. Kernel records need be
312 * converted to BSM before they can be written out. Both types will be
313 * written to disk, and audit pipes.
314 */
315 static void
316 audit_worker_process_record(struct kaudit_record *ar)
317 {
318 struct au_record *bsm;
319 au_class_t class;
320 au_event_t event;
321 au_id_t auid;
322 int error, sorf;
323 int trail_locked;
324
325 /*
326 * We hold the audit_worker_sl lock over both writes, if there are
327 * two, so that the two records won't be split across a rotation and
328 * end up in two different trail files.
329 */
330 if (((ar->k_ar_commit & AR_COMMIT_USER) &&
331 (ar->k_ar_commit & AR_PRESELECT_USER_TRAIL)) ||
332 (ar->k_ar_commit & AR_PRESELECT_TRAIL)) {
333 AUDIT_WORKER_SX_XLOCK();
334 trail_locked = 1;
335 } else
336 trail_locked = 0;
337
338 /*
339 * First, handle the user record, if any: commit to the system trail
340 * and audit pipes as selected.
341 */
342 if ((ar->k_ar_commit & AR_COMMIT_USER) &&
343 (ar->k_ar_commit & AR_PRESELECT_USER_TRAIL)) {
344 AUDIT_WORKER_SX_ASSERT();
345 audit_record_write(audit_vp, &audit_ctx, ar->k_udata,
346 ar->k_ulen);
347 }
348
349 if ((ar->k_ar_commit & AR_COMMIT_USER) &&
350 (ar->k_ar_commit & AR_PRESELECT_USER_PIPE))
351 audit_pipe_submit_user(ar->k_udata, ar->k_ulen);
352
353 if (!(ar->k_ar_commit & AR_COMMIT_KERNEL) ||
354 ((ar->k_ar_commit & AR_PRESELECT_PIPE) == 0 &&
355 (ar->k_ar_commit & AR_PRESELECT_TRAIL) == 0 &&
356 (ar->k_ar_commit & AR_PRESELECT_FILTER) == 0))
357 goto out;
358
359 auid = ar->k_ar.ar_subj_auid;
360 event = ar->k_ar.ar_event;
361 class = au_event_class(event);
362 if (ar->k_ar.ar_errno == 0)
363 sorf = AU_PRS_SUCCESS;
364 else
365 sorf = AU_PRS_FAILURE;
366
367 error = kaudit_to_bsm(ar, &bsm);
368 switch (error) {
369 case BSM_NOAUDIT:
370 goto out;
371
372 case BSM_FAILURE:
373 printf("audit_worker_process_record: BSM_FAILURE\n");
374 goto out;
375
376 case BSM_SUCCESS:
377 break;
378
379 default:
380 panic("kaudit_to_bsm returned %d", error);
381 }
382
383 if (ar->k_ar_commit & AR_PRESELECT_TRAIL) {
384 AUDIT_WORKER_SX_ASSERT();
385 audit_record_write(audit_vp, &audit_ctx, bsm->data, bsm->len);
386 }
387
388 if (ar->k_ar_commit & AR_PRESELECT_PIPE)
389 audit_pipe_submit(auid, event, class, sorf,
390 ar->k_ar_commit & AR_PRESELECT_TRAIL, bsm->data,
391 bsm->len);
392
393 if (ar->k_ar_commit & AR_PRESELECT_FILTER) {
394
395 /*
396 * XXXss - This needs to be generalized so new filters can
397 * be easily plugged in.
398 */
399 audit_sdev_submit(auid, ar->k_ar.ar_subj_asid, bsm->data,
400 bsm->len);
401 }
402
403 kau_free(bsm);
404 out:
405 if (trail_locked)
406 AUDIT_WORKER_SX_XUNLOCK();
407 }
408
409 /*
410 * The audit_worker thread is responsible for watching the event queue,
411 * dequeueing records, converting them to BSM format, and committing them to
412 * disk. In order to minimize lock thrashing, records are dequeued in sets
413 * to a thread-local work queue.
414 *
415 * Note: this means that the effect bound on the size of the pending record
416 * queue is 2x the length of the global queue.
417 */
418 static void
419 audit_worker(void)
420 {
421 struct kaudit_queue ar_worklist;
422 struct kaudit_record *ar;
423 int lowater_signal;
424
425 if (audit_ctx.vc_thread == NULL)
426 audit_ctx.vc_thread = current_thread();
427
428 TAILQ_INIT(&ar_worklist);
429 mtx_lock(&audit_mtx);
430 while (1) {
431 mtx_assert(&audit_mtx, MA_OWNED);
432
433 /*
434 * Wait for a record.
435 */
436 while (TAILQ_EMPTY(&audit_q))
437 cv_wait_continuation(&audit_worker_cv, &audit_mtx,
438 (thread_continue_t)audit_worker);
439
440 /*
441 * If there are records in the global audit record queue,
442 * transfer them to a thread-local queue and process them
443 * one by one. If we cross the low watermark threshold,
444 * signal any waiting processes that they may wake up and
445 * continue generating records.
446 */
447 lowater_signal = 0;
448 while ((ar = TAILQ_FIRST(&audit_q))) {
449 TAILQ_REMOVE(&audit_q, ar, k_q);
450 audit_q_len--;
451 if (audit_q_len == audit_qctrl.aq_lowater)
452 lowater_signal++;
453 TAILQ_INSERT_TAIL(&ar_worklist, ar, k_q);
454 }
455 if (lowater_signal)
456 cv_broadcast(&audit_watermark_cv);
457
458 mtx_unlock(&audit_mtx);
459 while ((ar = TAILQ_FIRST(&ar_worklist))) {
460 TAILQ_REMOVE(&ar_worklist, ar, k_q);
461 if (ar->k_ar_commit & AR_DRAIN_QUEUE) {
462 audit_q_draining = 0;
463 cv_broadcast(&audit_drain_cv);
464 } else {
465 audit_worker_process_record(ar);
466 audit_free(ar);
467 }
468 }
469 mtx_lock(&audit_mtx);
470 }
471 }
472
473 /*
474 * audit_rotate_vnode() is called by a user or kernel thread to configure or
475 * de-configure auditing on a vnode. The arguments are the replacement
476 * credential (referenced) and vnode (referenced and opened) to substitute
477 * for the current credential and vnode, if any. If either is set to NULL,
478 * both should be NULL, and this is used to indicate that audit is being
479 * disabled. Any previous cred/vnode will be closed and freed. We re-enable
480 * generating rotation requests to auditd.
481 */
482 void
483 audit_rotate_vnode(kauth_cred_t cred, struct vnode *vp)
484 {
485 kauth_cred_t old_audit_cred;
486 struct vnode *old_audit_vp;
487
488 KASSERT((cred != NULL && vp != NULL) || (cred == NULL && vp == NULL),
489 ("audit_rotate_vnode: cred %p vp %p", cred, vp));
490
491
492 mtx_lock(&audit_mtx);
493 if (audit_enabled && (NULL == vp)) {
494 /* Auditing is currently enabled but will be disabled. */
495
496 /*
497 * Disable auditing now so nothing more is added while the
498 * audit worker thread is draining the audit record queue.
499 */
500 audit_enabled = 0;
501
502 /*
503 * Drain the auditing queue by inserting a drain record at the
504 * end of the queue and waiting for the audit worker thread
505 * to find this record and signal that it is done before
506 * we close the audit trail.
507 */
508 audit_q_draining = 1;
509 while (audit_q_len >= audit_qctrl.aq_hiwater)
510 cv_wait(&audit_watermark_cv, &audit_mtx);
511 TAILQ_INSERT_TAIL(&audit_q, &audit_drain_kar, k_q);
512 audit_q_len++;
513 cv_signal(&audit_worker_cv);
514 }
515
516 /* If the audit queue is draining then wait here until it's done. */
517 while (audit_q_draining)
518 cv_wait(&audit_drain_cv, &audit_mtx);
519 mtx_unlock(&audit_mtx);
520
521
522 /*
523 * Rotate the vnode/cred, and clear the rotate flag so that we will
524 * send a rotate trigger if the new file fills.
525 */
526 AUDIT_WORKER_SX_XLOCK();
527 old_audit_cred = audit_ctx.vc_ucred;
528 old_audit_vp = audit_vp;
529 audit_ctx.vc_ucred = cred;
530 audit_vp = vp;
531 audit_file_rotate_wait = 0;
532 audit_enabled = (audit_vp != NULL);
533 AUDIT_WORKER_SX_XUNLOCK();
534
535 /*
536 * If there was an old vnode/credential, close and free.
537 */
538 if (old_audit_vp != NULL) {
539 if (vnode_get(old_audit_vp) == 0) {
540 vn_close(old_audit_vp, AUDIT_CLOSE_FLAGS,
541 vfs_context_kernel());
542 vnode_put(old_audit_vp);
543 } else
544 printf("audit_rotate_vnode: Couldn't close "
545 "audit file.\n");
546 kauth_cred_unref(&old_audit_cred);
547 }
548 }
549
550 void
551 audit_worker_init(void)
552 {
553
554 AUDIT_WORKER_SX_INIT();
555 kernel_thread_start((thread_continue_t)audit_worker, NULL,
556 &audit_thread);
557 if (audit_thread == THREAD_NULL)
558 panic("audit_worker_init: Couldn't create audit_worker thread");
559 }
mirror of XNU