audit_worker.c revision 159269
1/* 2 * Copyright (c) 1999-2005 Apple Computer, Inc. 3 * Copyright (c) 2006 Robert N. M. Watson 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 15 * its contributors may be used to endorse or promote products derived 16 * from this software without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 22 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 26 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 27 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 * POSSIBILITY OF SUCH DAMAGE. 29 * 30 * $FreeBSD: head/sys/security/audit/audit_worker.c 159269 2006-06-05 14:48:17Z rwatson $ 31 */ 32 33#include <sys/param.h> 34#include <sys/condvar.h> 35#include <sys/conf.h> 36#include <sys/file.h> 37#include <sys/filedesc.h> 38#include <sys/fcntl.h> 39#include <sys/ipc.h> 40#include <sys/kernel.h> 41#include <sys/kthread.h> 42#include <sys/malloc.h> 43#include <sys/mount.h> 44#include <sys/namei.h> 45#include <sys/proc.h> 46#include <sys/queue.h> 47#include <sys/socket.h> 48#include <sys/socketvar.h> 49#include <sys/protosw.h> 50#include <sys/domain.h> 51#include <sys/sysproto.h> 52#include <sys/sysent.h> 53#include <sys/systm.h> 54#include <sys/ucred.h> 55#include <sys/uio.h> 56#include <sys/un.h> 57#include <sys/unistd.h> 58#include <sys/vnode.h> 59 60#include <bsm/audit.h> 61#include <bsm/audit_internal.h> 62#include <bsm/audit_kevents.h> 63 64#include <netinet/in.h> 65#include <netinet/in_pcb.h> 66 67#include <security/audit/audit.h> 68#include <security/audit/audit_private.h> 69 70#include <vm/uma.h> 71 72/* 73 * Worker thread that will schedule disk I/O, etc. 74 */ 75static struct proc *audit_thread; 76 77/* 78 * When an audit log is rotated, the actual rotation must be performed by the 79 * audit worker thread, as it may have outstanding writes on the current 80 * audit log. audit_replacement_vp holds the vnode replacing the current 81 * vnode. We can't let more than one replacement occur at a time, so if more 82 * than one thread requests a replacement, only one can have the replacement 83 * "in progress" at any given moment. If a thread tries to replace the audit 84 * vnode and discovers a replacement is already in progress (i.e., 85 * audit_replacement_flag != 0), then it will sleep on audit_replacement_cv 86 * waiting its turn to perform a replacement. When a replacement is 87 * completed, this cv is signalled by the worker thread so a waiting thread 88 * can start another replacement. We also store a credential to perform 89 * audit log write operations with. 90 * 91 * The current credential and vnode are thread-local to audit_worker. 92 */ 93static struct cv audit_replacement_cv; 94 95static int audit_replacement_flag; 96static struct vnode *audit_replacement_vp; 97static struct ucred *audit_replacement_cred; 98 99/* 100 * Flags related to Kernel->user-space communication. 101 */ 102static int audit_file_rotate_wait; 103 104/* 105 * XXXAUDIT: Should adjust comments below to make it clear that we get to 106 * this point only if we believe we have storage, so not having space here is 107 * a violation of invariants derived from administrative procedures. I.e., 108 * someone else has written to the audit partition, leaving less space than 109 * we accounted for. 110 */ 111static int 112audit_record_write(struct vnode *vp, struct ucred *cred, struct thread *td, 113 void *data, size_t len) 114{ 115 int ret; 116 long temp; 117 struct vattr vattr; 118 struct statfs *mnt_stat = &vp->v_mount->mnt_stat; 119 int vfslocked; 120 121 if (vp == NULL) 122 return (0); 123 124 vfslocked = VFS_LOCK_GIANT(vp->v_mount); 125 126 /* 127 * First, gather statistics on the audit log file and file system so 128 * that we know how we're doing on space. In both cases, if we're 129 * unable to perform the operation, we drop the record and return. 130 * However, this is arguably an assertion failure. 131 * XXX Need a FreeBSD equivalent. 132 */ 133 ret = VFS_STATFS(vp->v_mount, mnt_stat, td); 134 if (ret) 135 goto out; 136 137 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); 138 ret = VOP_GETATTR(vp, &vattr, cred, td); 139 VOP_UNLOCK(vp, 0, td); 140 if (ret) 141 goto out; 142 143 /* update the global stats struct */ 144 audit_fstat.af_currsz = vattr.va_size; 145 146 /* 147 * XXX Need to decide what to do if the trigger to the audit daemon 148 * fails. 149 */ 150 151 /* 152 * If we fall below minimum free blocks (hard limit), tell the audit 153 * daemon to force a rotation off of the file system. We also stop 154 * writing, which means this audit record is probably lost. If we 155 * fall below the minimum percent free blocks (soft limit), then 156 * kindly suggest to the audit daemon to do something. 157 */ 158 if (mnt_stat->f_bfree < AUDIT_HARD_LIMIT_FREE_BLOCKS) { 159 (void)send_trigger(AUDIT_TRIGGER_NO_SPACE); 160 /* 161 * Hopefully userspace did something about all the previous 162 * triggers that were sent prior to this critical condition. 163 * If fail-stop is set, then we're done; goodnight Gracie. 164 */ 165 if (audit_fail_stop) 166 panic("Audit log space exhausted and fail-stop set."); 167 else { 168 audit_suspended = 1; 169 ret = ENOSPC; 170 goto out; 171 } 172 } else 173 /* 174 * Send a message to the audit daemon that disk space is 175 * getting low. 176 * 177 * XXXAUDIT: Check math and block size calculation here. 178 */ 179 if (audit_qctrl.aq_minfree != 0) { 180 temp = mnt_stat->f_blocks / (100 / 181 audit_qctrl.aq_minfree); 182 if (mnt_stat->f_bfree < temp) 183 (void)send_trigger(AUDIT_TRIGGER_LOW_SPACE); 184 } 185 186 /* 187 * Check if the current log file is full; if so, call for a log 188 * rotate. This is not an exact comparison; we may write some records 189 * over the limit. If that's not acceptable, then add a fudge factor 190 * here. 191 */ 192 if ((audit_fstat.af_filesz != 0) && 193 (audit_file_rotate_wait == 0) && 194 (vattr.va_size >= audit_fstat.af_filesz)) { 195 audit_file_rotate_wait = 1; 196 (void)send_trigger(AUDIT_TRIGGER_OPEN_NEW); 197 } 198 199 /* 200 * If the estimated amount of audit data in the audit event queue 201 * (plus records allocated but not yet queued) has reached the amount 202 * of free space on the disk, then we need to go into an audit fail 203 * stop state, in which we do not permit the allocation/committing of 204 * any new audit records. We continue to process packets but don't 205 * allow any activities that might generate new records. In the 206 * future, we might want to detect when space is available again and 207 * allow operation to continue, but this behavior is sufficient to 208 * meet fail stop requirements in CAPP. 209 */ 210 if (audit_fail_stop && 211 (unsigned long) 212 ((audit_q_len + audit_pre_q_len + 1) * MAX_AUDIT_RECORD_SIZE) / 213 mnt_stat->f_bsize >= (unsigned long)(mnt_stat->f_bfree)) { 214 printf("audit_record_write: free space below size of audit " 215 "queue, failing stop\n"); 216 audit_in_failure = 1; 217 } 218 219 ret = vn_rdwr(UIO_WRITE, vp, data, len, (off_t)0, UIO_SYSSPACE, 220 IO_APPEND|IO_UNIT, cred, NULL, NULL, td); 221 222out: 223 /* 224 * When we're done processing the current record, we have to check to 225 * see if we're in a failure mode, and if so, whether this was the 226 * last record left to be drained. If we're done draining, then we 227 * fsync the vnode and panic. 228 */ 229 if (audit_in_failure && audit_q_len == 0 && audit_pre_q_len == 0) { 230 VOP_LOCK(vp, LK_DRAIN | LK_INTERLOCK, td); 231 (void)VOP_FSYNC(vp, MNT_WAIT, td); 232 VOP_UNLOCK(vp, 0, td); 233 panic("Audit store overflow; record queue drained."); 234 } 235 236 VFS_UNLOCK_GIANT(vfslocked); 237 238 return (ret); 239} 240 241/* 242 * If an appropriate signal has been received rotate the audit log based on 243 * the global replacement variables. Signal consumers as needed that the 244 * rotation has taken place. 245 * 246 * XXXRW: The global variables and CVs used to signal the audit_worker to 247 * perform a rotation are essentially a message queue of depth 1. It would 248 * be much nicer to actually use a message queue. 249 */ 250static void 251audit_worker_rotate(struct ucred **audit_credp, struct vnode **audit_vpp, 252 struct thread *audit_td) 253{ 254 int do_replacement_signal, vfslocked; 255 struct ucred *old_cred; 256 struct vnode *old_vp; 257 258 mtx_assert(&audit_mtx, MA_OWNED); 259 260 do_replacement_signal = 0; 261 while (audit_replacement_flag != 0) { 262 old_cred = *audit_credp; 263 old_vp = *audit_vpp; 264 *audit_credp = audit_replacement_cred; 265 *audit_vpp = audit_replacement_vp; 266 audit_replacement_cred = NULL; 267 audit_replacement_vp = NULL; 268 audit_replacement_flag = 0; 269 270 audit_enabled = (*audit_vpp != NULL); 271 272 /* 273 * XXX: What to do about write failures here? 274 */ 275 if (old_vp != NULL) { 276 AUDIT_PRINTF(("Closing old audit file\n")); 277 mtx_unlock(&audit_mtx); 278 vfslocked = VFS_LOCK_GIANT(old_vp->v_mount); 279 vn_close(old_vp, AUDIT_CLOSE_FLAGS, old_cred, 280 audit_td); 281 VFS_UNLOCK_GIANT(vfslocked); 282 crfree(old_cred); 283 mtx_lock(&audit_mtx); 284 old_cred = NULL; 285 old_vp = NULL; 286 AUDIT_PRINTF(("Audit file closed\n")); 287 } 288 if (*audit_vpp != NULL) { 289 AUDIT_PRINTF(("Opening new audit file\n")); 290 } 291 do_replacement_signal = 1; 292 } 293 294 /* 295 * Signal that replacement have occurred to wake up and 296 * start any other replacements started in parallel. We can 297 * continue about our business in the mean time. We 298 * broadcast so that both new replacements can be inserted, 299 * but also so that the source(s) of replacement can return 300 * successfully. 301 */ 302 if (do_replacement_signal) 303 cv_broadcast(&audit_replacement_cv); 304} 305 306/* 307 * Given a kernel audit record, process as required. Kernel audit records 308 * are converted to one, or possibly two, BSM records, depending on whether 309 * there is a user audit record present also. Kernel records need be 310 * converted to BSM before they can be written out. Both types will be 311 * written to disk, and audit pipes. 312 */ 313static void 314audit_worker_process_record(struct vnode *audit_vp, struct ucred *audit_cred, 315 struct thread *audit_td, struct kaudit_record *ar) 316{ 317 struct au_record *bsm; 318 au_class_t class; 319 au_event_t event; 320 int error, ret; 321 au_id_t auid; 322 int sorf; 323 324 if ((ar->k_ar_commit & AR_COMMIT_USER) && 325 (ar->k_ar_commit & AR_PRESELECT_TRAIL)) { 326 error = audit_record_write(audit_vp, audit_cred, audit_td, 327 ar->k_udata, ar->k_ulen); 328 if (error && audit_panic_on_write_fail) 329 panic("audit_worker: write error %d\n", error); 330 else if (error) 331 printf("audit_worker: write error %d\n", error); 332 } 333 if ((ar->k_ar_commit & AR_COMMIT_USER) && 334 (ar->k_ar_commit & AR_PRESELECT_PIPE)) 335 audit_pipe_submit_user(ar->k_udata, ar->k_ulen); 336 337 if (!(ar->k_ar_commit & AR_COMMIT_KERNEL)) 338 return; 339 340 auid = ar->k_ar.ar_subj_auid; 341 event = ar->k_ar.ar_event; 342 class = au_event_class(event); 343 if (ar->k_ar.ar_errno == 0) 344 sorf = AU_PRS_SUCCESS; 345 else 346 sorf = AU_PRS_FAILURE; 347 348 ret = kaudit_to_bsm(ar, &bsm); 349 switch (ret) { 350 case BSM_NOAUDIT: 351 return; 352 353 case BSM_FAILURE: 354 printf("audit_worker_process_record: BSM_FAILURE\n"); 355 return; 356 357 case BSM_SUCCESS: 358 break; 359 360 default: 361 panic("kaudit_to_bsm returned %d", ret); 362 } 363 364 if (ar->k_ar_commit & AR_PRESELECT_TRAIL) { 365 error = audit_record_write(audit_vp, audit_cred, 366 audit_td, bsm->data, bsm->len); 367 if (error && audit_panic_on_write_fail) 368 panic("audit_worker: write error %d\n", 369 error); 370 else if (error) 371 printf("audit_worker: write error %d\n", 372 error); 373 } 374 if (ar->k_ar_commit & AR_PRESELECT_PIPE) 375 audit_pipe_submit(auid, event, class, sorf, 376 ar->k_ar_commit & AR_PRESELECT_TRAIL, bsm->data, 377 bsm->len); 378 kau_free(bsm); 379} 380 381/* 382 * The audit_worker thread is responsible for watching the event queue, 383 * dequeueing records, converting them to BSM format, and committing them to 384 * disk. In order to minimize lock thrashing, records are dequeued in sets 385 * to a thread-local work queue. In addition, the audit_work performs the 386 * actual exchange of audit log vnode pointer, as audit_vp is a thread-local 387 * variable. 388 */ 389static void 390audit_worker(void *arg) 391{ 392 struct kaudit_queue ar_worklist; 393 struct kaudit_record *ar; 394 struct ucred *audit_cred; 395 struct thread *audit_td; 396 struct vnode *audit_vp; 397 int lowater_signal; 398 399 AUDIT_PRINTF(("audit_worker starting\n")); 400 401 /* 402 * These are thread-local variables requiring no synchronization. 403 */ 404 TAILQ_INIT(&ar_worklist); 405 audit_cred = NULL; 406 audit_td = curthread; 407 audit_vp = NULL; 408 409 mtx_lock(&audit_mtx); 410 while (1) { 411 mtx_assert(&audit_mtx, MA_OWNED); 412 413 /* 414 * Wait for record or rotation events. 415 */ 416 while (!audit_replacement_flag && TAILQ_EMPTY(&audit_q)) { 417 AUDIT_PRINTF(("audit_worker waiting\n")); 418 cv_wait(&audit_worker_cv, &audit_mtx); 419 AUDIT_PRINTF(("audit_worker woken up\n")); 420 AUDIT_PRINTF(("audit_worker: new vp = %p; value of " 421 "flag %d\n", audit_replacement_vp, 422 audit_replacement_flag)); 423 } 424 425 /* 426 * First priority: replace the audit log target if requested. 427 */ 428 audit_worker_rotate(&audit_cred, &audit_vp, audit_td); 429 430 /* 431 * If there are records in the global audit record queue, 432 * transfer them to a thread-local queue and process them 433 * one by one. If we cross the low watermark threshold, 434 * signal any waiting processes that they may wake up and 435 * continue generating records. 436 */ 437 lowater_signal = 0; 438 while ((ar = TAILQ_FIRST(&audit_q))) { 439 TAILQ_REMOVE(&audit_q, ar, k_q); 440 audit_q_len--; 441 if (audit_q_len == audit_qctrl.aq_lowater) 442 lowater_signal++; 443 TAILQ_INSERT_TAIL(&ar_worklist, ar, k_q); 444 } 445 if (lowater_signal) 446 cv_broadcast(&audit_watermark_cv); 447 448 mtx_unlock(&audit_mtx); 449 while ((ar = TAILQ_FIRST(&ar_worklist))) { 450 TAILQ_REMOVE(&ar_worklist, ar, k_q); 451 audit_worker_process_record(audit_vp, audit_cred, 452 audit_td, ar); 453 audit_free(ar); 454 } 455 mtx_lock(&audit_mtx); 456 } 457} 458 459/* 460 * audit_rotate_vnode() is called by a user or kernel thread to configure or 461 * de-configure auditing on a vnode. The arguments are the replacement 462 * credential and vnode to substitute for the current credential and vnode, 463 * if any. If either is set to NULL, both should be NULL, and this is used 464 * to indicate that audit is being disabled. The real work is done in the 465 * audit_worker thread, but audit_rotate_vnode() waits synchronously for that 466 * to complete. 467 * 468 * The vnode should be referenced and opened by the caller. The credential 469 * should be referenced. audit_rotate_vnode() will own both references as of 470 * this call, so the caller should not release either. 471 * 472 * XXXAUDIT: Review synchronize communication logic. Really, this is a 473 * message queue of depth 1. 474 * 475 * XXXAUDIT: Enhance the comments below to indicate that we are basically 476 * acquiring ownership of the communications queue, inserting our message, 477 * and waiting for an acknowledgement. 478 */ 479void 480audit_rotate_vnode(struct ucred *cred, struct vnode *vp) 481{ 482 483 /* 484 * If other parallel log replacements have been requested, we wait 485 * until they've finished before continuing. 486 */ 487 mtx_lock(&audit_mtx); 488 while (audit_replacement_flag != 0) { 489 AUDIT_PRINTF(("audit_rotate_vnode: sleeping to wait for " 490 "flag\n")); 491 cv_wait(&audit_replacement_cv, &audit_mtx); 492 AUDIT_PRINTF(("audit_rotate_vnode: woken up (flag %d)\n", 493 audit_replacement_flag)); 494 } 495 audit_replacement_cred = cred; 496 audit_replacement_flag = 1; 497 audit_replacement_vp = vp; 498 499 /* 500 * Wake up the audit worker to perform the exchange once we 501 * release the mutex. 502 */ 503 cv_signal(&audit_worker_cv); 504 505 /* 506 * Wait for the audit_worker to broadcast that a replacement has 507 * taken place; we know that once this has happened, our vnode 508 * has been replaced in, so we can return successfully. 509 */ 510 AUDIT_PRINTF(("audit_rotate_vnode: waiting for news of " 511 "replacement\n")); 512 cv_wait(&audit_replacement_cv, &audit_mtx); 513 AUDIT_PRINTF(("audit_rotate_vnode: change acknowledged by " 514 "audit_worker (flag " "now %d)\n", audit_replacement_flag)); 515 mtx_unlock(&audit_mtx); 516 517 audit_file_rotate_wait = 0; /* We can now request another rotation */ 518} 519 520void 521audit_worker_init(void) 522{ 523 int error; 524 525 cv_init(&audit_replacement_cv, "audit_replacement_cv"); 526 error = kthread_create(audit_worker, NULL, &audit_thread, RFHIGHPID, 527 0, "audit_worker"); 528 if (error) 529 panic("audit_worker_init: kthread_create returned %d", error); 530} 531