1150850Sscottl/*- 2150850Sscottl * Copyright (c) 2006 Robert N. M. Watson 3150850Sscottl * Copyright (c) 2008-2009 Apple, Inc. 4150850Sscottl * All rights reserved. 5150850Sscottl * 6150850Sscottl * This software was developed by Robert Watson for the TrustedBSD Project. 7150850Sscottl * 8150850Sscottl * Redistribution and use in source and binary forms, with or without 9150850Sscottl * modification, are permitted provided that the following conditions 10150850Sscottl * are met: 11150850Sscottl * 1. Redistributions of source code must retain the above copyright 12150850Sscottl * notice, this list of conditions and the following disclaimer. 13150850Sscottl * 2. Redistributions in binary form must reproduce the above copyright 14150850Sscottl * notice, this list of conditions and the following disclaimer in the 15150850Sscottl * documentation and/or other materials provided with the distribution. 16150850Sscottl * 17150850Sscottl * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18150850Sscottl * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19150850Sscottl * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20150850Sscottl * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21150850Sscottl * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22150850Sscottl * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23150850Sscottl * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24150850Sscottl * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25150850Sscottl * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26150850Sscottl * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27150850Sscottl * SUCH DAMAGE. 28150850Sscottl */ 29150850Sscottl 30150850Sscottl#include <sys/cdefs.h> 31150850Sscottl__FBSDID("$FreeBSD$"); 32150850Sscottl 33150850Sscottl#include <sys/param.h> 34150850Sscottl#include <sys/condvar.h> 35150850Sscottl#include <sys/conf.h> 36150850Sscottl#include <sys/eventhandler.h> 37150850Sscottl#include <sys/filio.h> 38150850Sscottl#include <sys/kernel.h> 39150850Sscottl#include <sys/lock.h> 40150850Sscottl#include <sys/malloc.h> 41150850Sscottl#include <sys/mutex.h> 42150850Sscottl#include <sys/poll.h> 43152776Sru#include <sys/proc.h> 44150850Sscottl#include <sys/queue.h> 45152776Sru#include <sys/rwlock.h> 46150850Sscottl#include <sys/selinfo.h> 47150850Sscottl#include <sys/sigio.h> 48150850Sscottl#include <sys/signal.h> 49150850Sscottl#include <sys/signalvar.h> 50150850Sscottl#include <sys/sx.h> 51150850Sscottl#include <sys/systm.h> 52150850Sscottl#include <sys/uio.h> 53150850Sscottl 54152776Sru#include <security/audit/audit.h> 55150850Sscottl#include <security/audit/audit_ioctl.h> 56150850Sscottl#include <security/audit/audit_private.h> 57150850Sscottl 58150850Sscottl/* 59150850Sscottl * Implementation of a clonable special device providing a live stream of BSM 60150850Sscottl * audit data. Consumers receive a "tee" of the system audit trail by 61150850Sscottl * default, but may also define alternative event selections using ioctls. 62150850Sscottl * This interface provides unreliable but timely access to audit events. 63150850Sscottl * Consumers should be very careful to avoid introducing event cycles. 64150850Sscottl */ 65150850Sscottl 66150850Sscottl/* 67150850Sscottl * Memory types. 68152776Sru */ 69150850Sscottlstatic MALLOC_DEFINE(M_AUDIT_PIPE, "audit_pipe", "Audit pipes"); 70152776Srustatic MALLOC_DEFINE(M_AUDIT_PIPE_ENTRY, "audit_pipeent", 71150850Sscottl "Audit pipe entries and buffers"); 72150850Sscottlstatic MALLOC_DEFINE(M_AUDIT_PIPE_PRESELECT, "audit_pipe_presel", 73150850Sscottl "Audit pipe preselection structure"); 74150850Sscottl 75150850Sscottl/* 76150850Sscottl * Audit pipe buffer parameters. 77150850Sscottl */ 78150850Sscottl#define AUDIT_PIPE_QLIMIT_DEFAULT (128) 79152776Sru#define AUDIT_PIPE_QLIMIT_MIN (1) 80150850Sscottl#define AUDIT_PIPE_QLIMIT_MAX (1024) 81152776Sru 82150850Sscottl/* 83150850Sscottl * Description of an entry in an audit_pipe. 84150850Sscottl */ 85150850Sscottlstruct audit_pipe_entry { 86150850Sscottl void *ape_record; 87152776Sru u_int ape_record_len; 88150850Sscottl TAILQ_ENTRY(audit_pipe_entry) ape_queue; 89150850Sscottl}; 90150850Sscottl 91150850Sscottl/* 92150850Sscottl * Audit pipes allow processes to express "interest" in the set of records 93150850Sscottl * that are delivered via the pipe. They do this in a similar manner to the 94150850Sscottl * mechanism for audit trail configuration, by expressing two global masks, 95152776Sru * and optionally expressing per-auid masks. The following data structure is 96150850Sscottl * the per-auid mask description. The global state is stored in the audit 97150850Sscottl * pipe data structure. 98150850Sscottl * 99152776Sru * We may want to consider a more space/time-efficient data structure once 100150850Sscottl * usage patterns for per-auid specifications are clear. 101150850Sscottl */ 102150850Sscottlstruct audit_pipe_preselect { 103150850Sscottl au_id_t app_auid; 104150850Sscottl au_mask_t app_mask; 105150850Sscottl TAILQ_ENTRY(audit_pipe_preselect) app_list; 106150850Sscottl}; 107150850Sscottl 108150850Sscottl/* 109150850Sscottl * Description of an individual audit_pipe. Consists largely of a bounded 110150850Sscottl * length queue. 111211397Sjoel */ 112150850Sscottl#define AUDIT_PIPE_ASYNC 0x00000001 113150850Sscottl#define AUDIT_PIPE_NBIO 0x00000002 114150850Sscottlstruct audit_pipe { 115150850Sscottl int ap_open; /* Device open? */ 116152776Sru u_int ap_flags; 117150850Sscottl 118150850Sscottl struct selinfo ap_selinfo; 119150850Sscottl struct sigio *ap_sigio; 120150850Sscottl 121150850Sscottl /* 122150850Sscottl * Per-pipe mutex protecting most fields in this data structure. 123150850Sscottl */ 124150850Sscottl struct mtx ap_mtx; 125150850Sscottl 126150850Sscottl /* 127150850Sscottl * Per-pipe sleep lock serializing user-generated reads and flushes. 128150850Sscottl * uiomove() is called to copy out the current head record's data 129150850Sscottl * while the record remains in the queue, so we prevent other threads 130150850Sscottl * from removing it using this lock. 131150850Sscottl */ 132150850Sscottl struct sx ap_sx; 133150850Sscottl 134150850Sscottl /* 135150850Sscottl * Condition variable to signal when data has been delivered to a 136150850Sscottl * pipe. 137150850Sscottl */ 138152776Sru struct cv ap_cv; 139150850Sscottl 140152776Sru /* 141150850Sscottl * Various queue-reated variables: qlen and qlimit are a count of 142152776Sru * records in the queue; qbyteslen is the number of bytes of data 143150850Sscottl * across all records, and qoffset is the amount read so far of the 144150850Sscottl * first record in the queue. The number of bytes available for 145152776Sru * reading in the queue is qbyteslen - qoffset. 146150850Sscottl */ 147150850Sscottl u_int ap_qlen; 148150850Sscottl u_int ap_qlimit; 149150850Sscottl u_int ap_qbyteslen; 150152776Sru u_int ap_qoffset; 151152776Sru 152150850Sscottl /* 153152776Sru * Per-pipe operation statistics. 154152776Sru */ 155150850Sscottl u_int64_t ap_inserts; /* Records added. */ 156150850Sscottl u_int64_t ap_reads; /* Records read. */ 157150850Sscottl u_int64_t ap_drops; /* Records dropped. */ 158150850Sscottl 159150850Sscottl /* 160150850Sscottl * Fields relating to pipe interest: global masks for unmatched 161150850Sscottl * processes (attributable, non-attributable), and a list of specific 162150850Sscottl * interest specifications by auid. 163150850Sscottl */ 164150850Sscottl int ap_preselect_mode; 165150850Sscottl au_mask_t ap_preselect_flags; 166150850Sscottl au_mask_t ap_preselect_naflags; 167150850Sscottl TAILQ_HEAD(, audit_pipe_preselect) ap_preselect_list; 168150850Sscottl 169150850Sscottl /* 170150850Sscottl * Current pending record list. Protected by a combination of ap_mtx 171150850Sscottl * and ap_sx. Note particularly that *both* locks are required to 172150850Sscottl * remove a record from the head of the queue, as an in-progress read 173150850Sscottl * may sleep while copying and therefore cannot hold ap_mtx. 174150850Sscottl */ 175150850Sscottl TAILQ_HEAD(, audit_pipe_entry) ap_queue; 176152776Sru 177152776Sru /* 178152776Sru * Global pipe list. 179150850Sscottl */ 180150850Sscottl TAILQ_ENTRY(audit_pipe) ap_list; 181150850Sscottl}; 182152776Sru 183152776Sru#define AUDIT_PIPE_LOCK(ap) mtx_lock(&(ap)->ap_mtx) 184150850Sscottl#define AUDIT_PIPE_LOCK_ASSERT(ap) mtx_assert(&(ap)->ap_mtx, MA_OWNED) 185150850Sscottl#define AUDIT_PIPE_LOCK_DESTROY(ap) mtx_destroy(&(ap)->ap_mtx) 186150850Sscottl#define AUDIT_PIPE_LOCK_INIT(ap) mtx_init(&(ap)->ap_mtx, \ 187152776Sru "audit_pipe_mtx", NULL, MTX_DEF) 188150850Sscottl#define AUDIT_PIPE_UNLOCK(ap) mtx_unlock(&(ap)->ap_mtx) 189233992Sjoel#define AUDIT_PIPE_MTX(ap) (&(ap)->ap_mtx) 190150850Sscottl 191150850Sscottl#define AUDIT_PIPE_SX_LOCK_DESTROY(ap) sx_destroy(&(ap)->ap_sx) 192150850Sscottl#define AUDIT_PIPE_SX_LOCK_INIT(ap) sx_init(&(ap)->ap_sx, "audit_pipe_sx") 193150850Sscottl#define AUDIT_PIPE_SX_XLOCK_ASSERT(ap) sx_assert(&(ap)->ap_sx, SA_XLOCKED) 194150850Sscottl#define AUDIT_PIPE_SX_XLOCK_SIG(ap) sx_xlock_sig(&(ap)->ap_sx) 195150850Sscottl#define AUDIT_PIPE_SX_XUNLOCK(ap) sx_xunlock(&(ap)->ap_sx) 196150850Sscottl 197150850Sscottl/* 198150850Sscottl * Global list of audit pipes, rwlock to protect it. Individual record 199150850Sscottl * queues on pipes are protected by per-pipe locks; these locks synchronize 200150850Sscottl * between threads walking the list to deliver to individual pipes and add/ 201150850Sscottl * remove of pipes, and are mostly acquired for read. 202150850Sscottl */ 203150850Sscottlstatic TAILQ_HEAD(, audit_pipe) audit_pipe_list; 204150850Sscottlstatic struct rwlock audit_pipe_lock; 205150850Sscottl 206150850Sscottl#define AUDIT_PIPE_LIST_LOCK_INIT() rw_init(&audit_pipe_lock, \ 207150850Sscottl "audit_pipe_list_lock") 208150850Sscottl#define AUDIT_PIPE_LIST_RLOCK() rw_rlock(&audit_pipe_lock) 209150850Sscottl#define AUDIT_PIPE_LIST_RUNLOCK() rw_runlock(&audit_pipe_lock) 210150850Sscottl#define AUDIT_PIPE_LIST_WLOCK() rw_wlock(&audit_pipe_lock) 211150850Sscottl#define AUDIT_PIPE_LIST_WLOCK_ASSERT() rw_assert(&audit_pipe_lock, \ 212150850Sscottl RA_WLOCKED) 213150850Sscottl#define AUDIT_PIPE_LIST_WUNLOCK() rw_wunlock(&audit_pipe_lock) 214150850Sscottl 215150850Sscottl/* 216150850Sscottl * Cloning related variables and constants. 217150850Sscottl */ 218150850Sscottl#define AUDIT_PIPE_NAME "auditpipe" 219150850Sscottlstatic eventhandler_tag audit_pipe_eh_tag; 220150850Sscottlstatic struct clonedevs *audit_pipe_clones; 221150850Sscottl 222150850Sscottl/* 223150850Sscottl * Special device methods and definition. 224150850Sscottl */ 225150850Sscottlstatic d_open_t audit_pipe_open; 226152776Srustatic d_close_t audit_pipe_close; 227152776Srustatic d_read_t audit_pipe_read; 228150850Sscottlstatic d_ioctl_t audit_pipe_ioctl; 229150850Sscottlstatic d_poll_t audit_pipe_poll; 230150850Sscottlstatic d_kqfilter_t audit_pipe_kqfilter; 231150850Sscottl 232150850Sscottlstatic struct cdevsw audit_pipe_cdevsw = { 233150850Sscottl .d_version = D_VERSION, 234150850Sscottl .d_flags = D_PSEUDO | D_NEEDMINOR, 235150850Sscottl .d_open = audit_pipe_open, 236152776Sru .d_close = audit_pipe_close, 237150850Sscottl .d_read = audit_pipe_read, 238150850Sscottl .d_ioctl = audit_pipe_ioctl, 239150850Sscottl .d_poll = audit_pipe_poll, 240150850Sscottl .d_kqfilter = audit_pipe_kqfilter, 241150850Sscottl .d_name = AUDIT_PIPE_NAME, 242150850Sscottl}; 243150850Sscottl 244150850Sscottlstatic int audit_pipe_kqread(struct knote *note, long hint); 245152776Srustatic void audit_pipe_kqdetach(struct knote *note); 246152776Sru 247152776Srustatic struct filterops audit_pipe_read_filterops = { 248150850Sscottl .f_isfd = 1, 249150850Sscottl .f_attach = NULL, 250150850Sscottl .f_detach = audit_pipe_kqdetach, 251150850Sscottl .f_event = audit_pipe_kqread, 252150850Sscottl}; 253150850Sscottl 254150850Sscottl/* 255152776Sru * Some global statistics on audit pipes. 256150850Sscottl */ 257152776Srustatic int audit_pipe_count; /* Current number of pipes. */ 258152776Srustatic u_int64_t audit_pipe_ever; /* Pipes ever allocated. */ 259152776Srustatic u_int64_t audit_pipe_records; /* Records seen. */ 260150850Sscottlstatic u_int64_t audit_pipe_drops; /* Global record drop count. */ 261150850Sscottl 262150850Sscottl/* 263150850Sscottl * Free an audit pipe entry. 264150850Sscottl */ 265150850Sscottlstatic void 266150850Sscottlaudit_pipe_entry_free(struct audit_pipe_entry *ape) 267150850Sscottl{ 268150850Sscottl 269150850Sscottl free(ape->ape_record, M_AUDIT_PIPE_ENTRY); 270152776Sru free(ape, M_AUDIT_PIPE_ENTRY); 271152776Sru} 272152776Sru 273150850Sscottl/* 274152776Sru * Find an audit pipe preselection specification for an auid, if any. 275150850Sscottl */ 276150850Sscottlstatic struct audit_pipe_preselect * 277150850Sscottlaudit_pipe_preselect_find(struct audit_pipe *ap, au_id_t auid) 278150850Sscottl{ 279150850Sscottl struct audit_pipe_preselect *app; 280152776Sru 281150850Sscottl AUDIT_PIPE_LOCK_ASSERT(ap); 282150850Sscottl 283150850Sscottl TAILQ_FOREACH(app, &ap->ap_preselect_list, app_list) { 284211397Sjoel if (app->app_auid == auid) 285150850Sscottl return (app); 286150850Sscottl } 287150850Sscottl return (NULL); 288150850Sscottl} 289150850Sscottl 290150850Sscottl/* 291152776Sru * Query the per-pipe mask for a specific auid. 292150850Sscottl */ 293150850Sscottlstatic int 294150850Sscottlaudit_pipe_preselect_get(struct audit_pipe *ap, au_id_t auid, 295150850Sscottl au_mask_t *maskp) 296150850Sscottl{ 297152776Sru struct audit_pipe_preselect *app; 298150850Sscottl int error; 299152776Sru 300150850Sscottl AUDIT_PIPE_LOCK(ap); 301150850Sscottl app = audit_pipe_preselect_find(ap, auid); 302150850Sscottl if (app != NULL) { 303150850Sscottl *maskp = app->app_mask; 304150850Sscottl error = 0; 305152776Sru } else 306150850Sscottl error = ENOENT; 307150850Sscottl AUDIT_PIPE_UNLOCK(ap); 308152776Sru return (error); 309150850Sscottl} 310150850Sscottl 311150850Sscottl/* 312153380Sru * Set the per-pipe mask for a specific auid. Add a new entry if needed; 313150850Sscottl * otherwise, update the current entry. 314150850Sscottl */ 315150850Sscottlstatic void 316150850Sscottlaudit_pipe_preselect_set(struct audit_pipe *ap, au_id_t auid, au_mask_t mask) 317150850Sscottl{ 318150850Sscottl struct audit_pipe_preselect *app, *app_new; 319150850Sscottl 320150850Sscottl /* 321152776Sru * Pessimistically assume that the auid doesn't already have a mask 322152776Sru * set, and allocate. We will free it if it is unneeded. 323152776Sru */ 324150850Sscottl app_new = malloc(sizeof(*app_new), M_AUDIT_PIPE_PRESELECT, M_WAITOK); 325150850Sscottl AUDIT_PIPE_LOCK(ap); 326150850Sscottl app = audit_pipe_preselect_find(ap, auid); 327152776Sru if (app == NULL) { 328152776Sru app = app_new; 329150850Sscottl app_new = NULL; 330150850Sscottl app->app_auid = auid; 331150850Sscottl TAILQ_INSERT_TAIL(&ap->ap_preselect_list, app, app_list); 332150850Sscottl } 333150850Sscottl app->app_mask = mask; 334150850Sscottl AUDIT_PIPE_UNLOCK(ap); 335150850Sscottl if (app_new != NULL) 336150850Sscottl free(app_new, M_AUDIT_PIPE_PRESELECT); 337150850Sscottl} 338150850Sscottl 339152776Sru/* 340150850Sscottl * Delete a per-auid mask on an audit pipe. 341152776Sru */ 342150850Sscottlstatic int 343150850Sscottlaudit_pipe_preselect_delete(struct audit_pipe *ap, au_id_t auid) 344150850Sscottl{ 345150850Sscottl struct audit_pipe_preselect *app; 346150850Sscottl int error; 347150850Sscottl 348150850Sscottl AUDIT_PIPE_LOCK(ap); 349150850Sscottl app = audit_pipe_preselect_find(ap, auid); 350150850Sscottl if (app != NULL) { 351150850Sscottl TAILQ_REMOVE(&ap->ap_preselect_list, app, app_list); 352150850Sscottl error = 0; 353150850Sscottl } else 354150850Sscottl error = ENOENT; 355150850Sscottl AUDIT_PIPE_UNLOCK(ap); 356150850Sscottl if (app != NULL) 357150850Sscottl free(app, M_AUDIT_PIPE_PRESELECT); 358152776Sru return (error); 359150850Sscottl} 360150850Sscottl 361150850Sscottl/* 362150850Sscottl * Delete all per-auid masks on an audit pipe. 363150850Sscottl */ 364150850Sscottlstatic void 365150850Sscottlaudit_pipe_preselect_flush_locked(struct audit_pipe *ap) 366152776Sru{ 367150850Sscottl struct audit_pipe_preselect *app; 368150850Sscottl 369150850Sscottl AUDIT_PIPE_LOCK_ASSERT(ap); 370150850Sscottl 371150850Sscottl while ((app = TAILQ_FIRST(&ap->ap_preselect_list)) != NULL) { 372150850Sscottl TAILQ_REMOVE(&ap->ap_preselect_list, app, app_list); 373150850Sscottl free(app, M_AUDIT_PIPE_PRESELECT); 374150850Sscottl } 375150850Sscottl} 376150850Sscottl 377150850Sscottlstatic void 378150850Sscottlaudit_pipe_preselect_flush(struct audit_pipe *ap) 379150850Sscottl{ 380150850Sscottl 381150850Sscottl AUDIT_PIPE_LOCK(ap); 382150850Sscottl audit_pipe_preselect_flush_locked(ap); 383150850Sscottl AUDIT_PIPE_UNLOCK(ap); 384150850Sscottl} 385150850Sscottl 386150850Sscottl/*- 387150850Sscottl * Determine whether a specific audit pipe matches a record with these 388150850Sscottl * properties. Algorithm is as follows: 389150850Sscottl * 390150850Sscottl * - If the pipe is configured to track the default trail configuration, then 391150850Sscottl * use the results of global preselection matching. 392150850Sscottl * - If not, search for a specifically configured auid entry matching the 393150850Sscottl * event. If an entry is found, use that. 394150850Sscottl * - Otherwise, use the default flags or naflags configured for the pipe. 395152776Sru */ 396152776Srustatic int 397152776Sruaudit_pipe_preselect_check(struct audit_pipe *ap, au_id_t auid, 398150850Sscottl au_event_t event, au_class_t class, int sorf, int trail_preselect) 399150850Sscottl{ 400150850Sscottl struct audit_pipe_preselect *app; 401150850Sscottl 402150850Sscottl AUDIT_PIPE_LOCK_ASSERT(ap); 403152776Sru 404152776Sru switch (ap->ap_preselect_mode) { 405150850Sscottl case AUDITPIPE_PRESELECT_MODE_TRAIL: 406150850Sscottl return (trail_preselect); 407150850Sscottl 408150850Sscottl case AUDITPIPE_PRESELECT_MODE_LOCAL: 409150850Sscottl app = audit_pipe_preselect_find(ap, auid); 410150850Sscottl if (app == NULL) { 411150850Sscottl if (auid == AU_DEFAUDITID) 412150850Sscottl return (au_preselect(event, class, 413150850Sscottl &ap->ap_preselect_naflags, sorf)); 414150850Sscottl else 415150850Sscottl return (au_preselect(event, class, 416150850Sscottl &ap->ap_preselect_flags, sorf)); 417150850Sscottl } else 418150850Sscottl return (au_preselect(event, class, &app->app_mask, 419150850Sscottl sorf)); 420150850Sscottl 421150850Sscottl default: 422150850Sscottl panic("audit_pipe_preselect_check: mode %d", 423150850Sscottl ap->ap_preselect_mode); 424150850Sscottl } 425152776Sru 426152776Sru return (0); 427150850Sscottl} 428150850Sscottl 429150850Sscottl/* 430150850Sscottl * Determine whether there exists a pipe interested in a record with specific 431150850Sscottl * properties. 432150850Sscottl */ 433150850Sscottlint 434150850Sscottlaudit_pipe_preselect(au_id_t auid, au_event_t event, au_class_t class, 435150850Sscottl int sorf, int trail_preselect) 436150850Sscottl{ 437150850Sscottl struct audit_pipe *ap; 438150850Sscottl 439150850Sscottl /* Lockless read to avoid acquiring the global lock if not needed. */ 440152776Sru if (TAILQ_EMPTY(&audit_pipe_list)) 441150850Sscottl return (0); 442150850Sscottl 443150850Sscottl AUDIT_PIPE_LIST_RLOCK(); 444150850Sscottl TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) { 445150850Sscottl AUDIT_PIPE_LOCK(ap); 446233992Sjoel if (audit_pipe_preselect_check(ap, auid, event, class, sorf, 447150850Sscottl trail_preselect)) { 448152776Sru AUDIT_PIPE_UNLOCK(ap); 449150850Sscottl AUDIT_PIPE_LIST_RUNLOCK(); 450150850Sscottl return (1); 451150850Sscottl } 452150850Sscottl AUDIT_PIPE_UNLOCK(ap); 453150850Sscottl } 454150850Sscottl AUDIT_PIPE_LIST_RUNLOCK(); 455150850Sscottl return (0); 456150850Sscottl} 457150850Sscottl 458150850Sscottl/* 459150850Sscottl * Append individual record to a queue -- allocate queue-local buffer, and 460152776Sru * add to the queue. If the queue is full or we can't allocate memory, drop 461150850Sscottl * the newest record. 462152776Sru */ 463150850Sscottlstatic void 464150850Sscottlaudit_pipe_append(struct audit_pipe *ap, void *record, u_int record_len) 465150850Sscottl{ 466150850Sscottl struct audit_pipe_entry *ape; 467150850Sscottl 468150850Sscottl AUDIT_PIPE_LOCK_ASSERT(ap); 469152776Sru 470150850Sscottl if (ap->ap_qlen >= ap->ap_qlimit) { 471150850Sscottl ap->ap_drops++; 472150850Sscottl audit_pipe_drops++; 473150850Sscottl return; 474150850Sscottl } 475150850Sscottl 476150850Sscottl ape = malloc(sizeof(*ape), M_AUDIT_PIPE_ENTRY, M_NOWAIT | M_ZERO); 477150850Sscottl if (ape == NULL) { 478150850Sscottl ap->ap_drops++; 479150850Sscottl audit_pipe_drops++; 480150850Sscottl return; 481150850Sscottl } 482152776Sru 483152776Sru ape->ape_record = malloc(record_len, M_AUDIT_PIPE_ENTRY, M_NOWAIT); 484152776Sru if (ape->ape_record == NULL) { 485150850Sscottl free(ape, M_AUDIT_PIPE_ENTRY); 486150850Sscottl ap->ap_drops++; 487150850Sscottl audit_pipe_drops++; 488152776Sru return; 489152776Sru } 490150850Sscottl 491150850Sscottl bcopy(record, ape->ape_record, record_len); 492150850Sscottl ape->ape_record_len = record_len; 493150850Sscottl 494150850Sscottl TAILQ_INSERT_TAIL(&ap->ap_queue, ape, ape_queue); 495150850Sscottl ap->ap_inserts++; 496150850Sscottl ap->ap_qlen++; 497150850Sscottl ap->ap_qbyteslen += ape->ape_record_len; 498150850Sscottl selwakeuppri(&ap->ap_selinfo, PSOCK); 499150850Sscottl KNOTE_LOCKED(&ap->ap_selinfo.si_note, 0); 500150850Sscottl if (ap->ap_flags & AUDIT_PIPE_ASYNC) 501150850Sscottl pgsigio(&ap->ap_sigio, SIGIO, 0); 502150850Sscottl cv_broadcast(&ap->ap_cv); 503150850Sscottl} 504150850Sscottl 505150850Sscottl/* 506150850Sscottl * audit_pipe_submit(): audit_worker submits audit records via this 507150850Sscottl * interface, which arranges for them to be delivered to pipe queues. 508150850Sscottl */ 509150850Sscottlvoid 510150850Sscottlaudit_pipe_submit(au_id_t auid, au_event_t event, au_class_t class, int sorf, 511152776Sru int trail_select, void *record, u_int record_len) 512152776Sru{ 513152776Sru struct audit_pipe *ap; 514150850Sscottl 515211397Sjoel /* 516150850Sscottl * Lockless read to avoid lock overhead if pipes are not in use. 517152776Sru */ 518152776Sru if (TAILQ_FIRST(&audit_pipe_list) == NULL) 519150850Sscottl return; 520150850Sscottl 521150850Sscottl AUDIT_PIPE_LIST_RLOCK(); 522150850Sscottl TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) { 523150850Sscottl AUDIT_PIPE_LOCK(ap); 524150850Sscottl if (audit_pipe_preselect_check(ap, auid, event, class, sorf, 525150850Sscottl trail_select)) 526150850Sscottl audit_pipe_append(ap, record, record_len); 527150850Sscottl AUDIT_PIPE_UNLOCK(ap); 528150850Sscottl } 529150850Sscottl AUDIT_PIPE_LIST_RUNLOCK(); 530150850Sscottl 531150850Sscottl /* Unlocked increment. */ 532152776Sru audit_pipe_records++; 533152776Sru} 534150850Sscottl 535150850Sscottl/* 536150850Sscottl * audit_pipe_submit_user(): the same as audit_pipe_submit(), except that 537150850Sscottl * since we don't currently have selection information available, it is 538150850Sscottl * delivered to the pipe unconditionally. 539150850Sscottl * 540150850Sscottl * XXXRW: This is a bug. The BSM check routine for submitting a user record 541152776Sru * should parse that information and return it. 542152776Sru */ 543150850Sscottlvoid 544152776Sruaudit_pipe_submit_user(void *record, u_int record_len) 545150850Sscottl{ 546152776Sru struct audit_pipe *ap; 547150850Sscottl 548152776Sru /* 549150850Sscottl * Lockless read to avoid lock overhead if pipes are not in use. 550152776Sru */ 551150850Sscottl if (TAILQ_FIRST(&audit_pipe_list) == NULL) 552152776Sru return; 553150850Sscottl 554152776Sru AUDIT_PIPE_LIST_RLOCK(); 555150850Sscottl TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) { 556150850Sscottl AUDIT_PIPE_LOCK(ap); 557152776Sru audit_pipe_append(ap, record, record_len); 558150850Sscottl AUDIT_PIPE_UNLOCK(ap); 559150850Sscottl } 560152776Sru AUDIT_PIPE_LIST_RUNLOCK(); 561150850Sscottl 562150850Sscottl /* Unlocked increment. */ 563150850Sscottl audit_pipe_records++; 564152776Sru} 565150850Sscottl 566150850Sscottl/* 567150850Sscottl * Allocate a new audit pipe. Connects the pipe, on success, to the global 568152776Sru * list and updates statistics. 569150850Sscottl */ 570150850Sscottlstatic struct audit_pipe * 571150850Sscottlaudit_pipe_alloc(void) 572150850Sscottl{ 573150850Sscottl struct audit_pipe *ap; 574150850Sscottl 575152776Sru AUDIT_PIPE_LIST_WLOCK_ASSERT(); 576150850Sscottl 577152776Sru ap = malloc(sizeof(*ap), M_AUDIT_PIPE, M_NOWAIT | M_ZERO); 578150850Sscottl if (ap == NULL) 579150850Sscottl return (NULL); 580152776Sru ap->ap_qlimit = AUDIT_PIPE_QLIMIT_DEFAULT; 581150850Sscottl TAILQ_INIT(&ap->ap_queue); 582152776Sru knlist_init_mtx(&ap->ap_selinfo.si_note, AUDIT_PIPE_MTX(ap)); 583150850Sscottl AUDIT_PIPE_LOCK_INIT(ap); 584150850Sscottl AUDIT_PIPE_SX_LOCK_INIT(ap); 585152776Sru cv_init(&ap->ap_cv, "audit_pipe"); 586150850Sscottl 587150850Sscottl /* 588150850Sscottl * Default flags, naflags, and auid-specific preselection settings to 589150850Sscottl * 0. Initialize the mode to the global trail so that if praudit(1) 590150850Sscottl * is run on /dev/auditpipe, it sees events associated with the 591152776Sru * default trail. Pipe-aware application can clear the flag, set 592150850Sscottl * custom masks, and flush the pipe as needed. 593152776Sru */ 594150850Sscottl bzero(&ap->ap_preselect_flags, sizeof(ap->ap_preselect_flags)); 595150850Sscottl bzero(&ap->ap_preselect_naflags, sizeof(ap->ap_preselect_naflags)); 596152776Sru TAILQ_INIT(&ap->ap_preselect_list); 597150850Sscottl ap->ap_preselect_mode = AUDITPIPE_PRESELECT_MODE_TRAIL; 598152776Sru 599150850Sscottl /* 600152776Sru * Add to global list and update global statistics. 601150850Sscottl */ 602150850Sscottl TAILQ_INSERT_HEAD(&audit_pipe_list, ap, ap_list); 603150850Sscottl audit_pipe_count++; 604150850Sscottl audit_pipe_ever++; 605152776Sru 606152776Sru return (ap); 607152776Sru} 608152776Sru 609152776Sru/* 610150850Sscottl * Flush all records currently present in an audit pipe; assume mutex is held. 611150850Sscottl */ 612150850Sscottlstatic void 613150850Sscottlaudit_pipe_flush(struct audit_pipe *ap) 614150850Sscottl{ 615152776Sru struct audit_pipe_entry *ape; 616152776Sru 617152776Sru AUDIT_PIPE_LOCK_ASSERT(ap); 618150850Sscottl 619150850Sscottl while ((ape = TAILQ_FIRST(&ap->ap_queue)) != NULL) { 620152776Sru TAILQ_REMOVE(&ap->ap_queue, ape, ape_queue); 621152776Sru ap->ap_qbyteslen -= ape->ape_record_len; 622150850Sscottl audit_pipe_entry_free(ape); 623150850Sscottl ap->ap_qlen--; 624150850Sscottl } 625150850Sscottl ap->ap_qoffset = 0; 626152776Sru 627150850Sscottl KASSERT(ap->ap_qlen == 0, ("audit_pipe_free: ap_qbyteslen")); 628152776Sru KASSERT(ap->ap_qbyteslen == 0, ("audit_pipe_flush: ap_qbyteslen")); 629152776Sru} 630150850Sscottl 631150850Sscottl/* 632152776Sru * Free an audit pipe; this means freeing all preselection state and all 633152776Sru * records in the pipe. Assumes global write lock and pipe mutex are held to 634152776Sru * prevent any new records from being inserted during the free, and that the 635152776Sru * audit pipe is still on the global list. 636150850Sscottl */ 637152776Srustatic void 638150850Sscottlaudit_pipe_free(struct audit_pipe *ap) 639150850Sscottl{ 640150850Sscottl 641150850Sscottl AUDIT_PIPE_LIST_WLOCK_ASSERT(); 642150850Sscottl AUDIT_PIPE_LOCK_ASSERT(ap); 643150850Sscottl 644150850Sscottl audit_pipe_preselect_flush_locked(ap); 645150850Sscottl audit_pipe_flush(ap); 646150850Sscottl cv_destroy(&ap->ap_cv); 647150850Sscottl AUDIT_PIPE_SX_LOCK_DESTROY(ap); 648150850Sscottl AUDIT_PIPE_LOCK_DESTROY(ap); 649150850Sscottl seldrain(&ap->ap_selinfo); 650150850Sscottl knlist_destroy(&ap->ap_selinfo.si_note); 651150850Sscottl TAILQ_REMOVE(&audit_pipe_list, ap, ap_list); 652150850Sscottl free(ap, M_AUDIT_PIPE); 653150850Sscottl audit_pipe_count--; 654150850Sscottl} 655150850Sscottl 656150850Sscottl/* 657150850Sscottl * Audit pipe clone routine -- provide specific requested audit pipe, or a 658150850Sscottl * fresh one if a specific one is not requested. 659150850Sscottl */ 660152776Srustatic void 661152776Sruaudit_pipe_clone(void *arg, struct ucred *cred, char *name, int namelen, 662152776Sru struct cdev **dev) 663152776Sru{ 664152776Sru int i, u; 665150850Sscottl 666152776Sru if (*dev != NULL) 667150850Sscottl return; 668150850Sscottl 669150850Sscottl if (strcmp(name, AUDIT_PIPE_NAME) == 0) 670150850Sscottl u = -1; 671150850Sscottl else if (dev_stdclone(name, NULL, AUDIT_PIPE_NAME, &u) != 1) 672150850Sscottl return; 673150850Sscottl 674150850Sscottl i = clone_create(&audit_pipe_clones, &audit_pipe_cdevsw, &u, dev, 0); 675150850Sscottl if (i) { 676150850Sscottl *dev = make_dev(&audit_pipe_cdevsw, u, UID_ROOT, 677150850Sscottl GID_WHEEL, 0600, "%s%d", AUDIT_PIPE_NAME, u); 678150850Sscottl if (*dev != NULL) { 679150850Sscottl dev_ref(*dev); 680150850Sscottl (*dev)->si_flags |= SI_CHEAPCLONE; 681150850Sscottl } 682150850Sscottl } 683150850Sscottl} 684150850Sscottl 685150850Sscottl/* 686150850Sscottl * Audit pipe open method. Explicit privilege check isn't used as this 687150850Sscottl * allows file permissions on the special device to be used to grant audit 688150850Sscottl * review access. Those file permissions should be managed carefully. 689150850Sscottl */ 690150850Sscottlstatic int 691150850Sscottlaudit_pipe_open(struct cdev *dev, int oflags, int devtype, struct thread *td) 692150850Sscottl{ 693150850Sscottl struct audit_pipe *ap; 694150850Sscottl 695150850Sscottl AUDIT_PIPE_LIST_WLOCK(); 696150850Sscottl ap = dev->si_drv1; 697150850Sscottl if (ap == NULL) { 698150850Sscottl ap = audit_pipe_alloc(); 699150850Sscottl if (ap == NULL) { 700150850Sscottl AUDIT_PIPE_LIST_WUNLOCK(); 701150850Sscottl return (ENOMEM); 702150850Sscottl } 703150850Sscottl dev->si_drv1 = ap; 704150850Sscottl } else { 705150850Sscottl KASSERT(ap->ap_open, ("audit_pipe_open: ap && !ap_open")); 706150850Sscottl AUDIT_PIPE_LIST_WUNLOCK(); 707150850Sscottl return (EBUSY); 708150850Sscottl } 709150850Sscottl ap->ap_open = 1; /* No lock required yet. */ 710150850Sscottl AUDIT_PIPE_LIST_WUNLOCK(); 711152776Sru fsetown(td->td_proc->p_pid, &ap->ap_sigio); 712150850Sscottl return (0); 713150850Sscottl} 714152776Sru 715150850Sscottl/* 716152776Sru * Close audit pipe, tear down all records, etc. 717150850Sscottl */ 718152776Srustatic int 719152776Sruaudit_pipe_close(struct cdev *dev, int fflag, int devtype, struct thread *td) 720152776Sru{ 721152776Sru struct audit_pipe *ap; 722152776Sru 723152776Sru ap = dev->si_drv1; 724 KASSERT(ap != NULL, ("audit_pipe_close: ap == NULL")); 725 KASSERT(ap->ap_open, ("audit_pipe_close: !ap_open")); 726 727 funsetown(&ap->ap_sigio); 728 AUDIT_PIPE_LIST_WLOCK(); 729 AUDIT_PIPE_LOCK(ap); 730 ap->ap_open = 0; 731 audit_pipe_free(ap); 732 dev->si_drv1 = NULL; 733 AUDIT_PIPE_LIST_WUNLOCK(); 734 return (0); 735} 736 737/* 738 * Audit pipe ioctl() routine. Handle file descriptor and audit pipe layer 739 * commands. 740 */ 741static int 742audit_pipe_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag, 743 struct thread *td) 744{ 745 struct auditpipe_ioctl_preselect *aip; 746 struct audit_pipe *ap; 747 au_mask_t *maskp; 748 int error, mode; 749 au_id_t auid; 750 751 ap = dev->si_drv1; 752 KASSERT(ap != NULL, ("audit_pipe_ioctl: ap == NULL")); 753 754 /* 755 * Audit pipe ioctls: first come standard device node ioctls, then 756 * manipulation of pipe settings, and finally, statistics query 757 * ioctls. 758 */ 759 switch (cmd) { 760 case FIONBIO: 761 AUDIT_PIPE_LOCK(ap); 762 if (*(int *)data) 763 ap->ap_flags |= AUDIT_PIPE_NBIO; 764 else 765 ap->ap_flags &= ~AUDIT_PIPE_NBIO; 766 AUDIT_PIPE_UNLOCK(ap); 767 error = 0; 768 break; 769 770 case FIONREAD: 771 AUDIT_PIPE_LOCK(ap); 772 *(int *)data = ap->ap_qbyteslen - ap->ap_qoffset; 773 AUDIT_PIPE_UNLOCK(ap); 774 error = 0; 775 break; 776 777 case FIOASYNC: 778 AUDIT_PIPE_LOCK(ap); 779 if (*(int *)data) 780 ap->ap_flags |= AUDIT_PIPE_ASYNC; 781 else 782 ap->ap_flags &= ~AUDIT_PIPE_ASYNC; 783 AUDIT_PIPE_UNLOCK(ap); 784 error = 0; 785 break; 786 787 case FIOSETOWN: 788 error = fsetown(*(int *)data, &ap->ap_sigio); 789 break; 790 791 case FIOGETOWN: 792 *(int *)data = fgetown(&ap->ap_sigio); 793 error = 0; 794 break; 795 796 case AUDITPIPE_GET_QLEN: 797 *(u_int *)data = ap->ap_qlen; 798 error = 0; 799 break; 800 801 case AUDITPIPE_GET_QLIMIT: 802 *(u_int *)data = ap->ap_qlimit; 803 error = 0; 804 break; 805 806 case AUDITPIPE_SET_QLIMIT: 807 /* Lockless integer write. */ 808 if (*(u_int *)data >= AUDIT_PIPE_QLIMIT_MIN || 809 *(u_int *)data <= AUDIT_PIPE_QLIMIT_MAX) { 810 ap->ap_qlimit = *(u_int *)data; 811 error = 0; 812 } else 813 error = EINVAL; 814 break; 815 816 case AUDITPIPE_GET_QLIMIT_MIN: 817 *(u_int *)data = AUDIT_PIPE_QLIMIT_MIN; 818 error = 0; 819 break; 820 821 case AUDITPIPE_GET_QLIMIT_MAX: 822 *(u_int *)data = AUDIT_PIPE_QLIMIT_MAX; 823 error = 0; 824 break; 825 826 case AUDITPIPE_GET_PRESELECT_FLAGS: 827 AUDIT_PIPE_LOCK(ap); 828 maskp = (au_mask_t *)data; 829 *maskp = ap->ap_preselect_flags; 830 AUDIT_PIPE_UNLOCK(ap); 831 error = 0; 832 break; 833 834 case AUDITPIPE_SET_PRESELECT_FLAGS: 835 AUDIT_PIPE_LOCK(ap); 836 maskp = (au_mask_t *)data; 837 ap->ap_preselect_flags = *maskp; 838 AUDIT_PIPE_UNLOCK(ap); 839 error = 0; 840 break; 841 842 case AUDITPIPE_GET_PRESELECT_NAFLAGS: 843 AUDIT_PIPE_LOCK(ap); 844 maskp = (au_mask_t *)data; 845 *maskp = ap->ap_preselect_naflags; 846 AUDIT_PIPE_UNLOCK(ap); 847 error = 0; 848 break; 849 850 case AUDITPIPE_SET_PRESELECT_NAFLAGS: 851 AUDIT_PIPE_LOCK(ap); 852 maskp = (au_mask_t *)data; 853 ap->ap_preselect_naflags = *maskp; 854 AUDIT_PIPE_UNLOCK(ap); 855 error = 0; 856 break; 857 858 case AUDITPIPE_GET_PRESELECT_AUID: 859 aip = (struct auditpipe_ioctl_preselect *)data; 860 error = audit_pipe_preselect_get(ap, aip->aip_auid, 861 &aip->aip_mask); 862 break; 863 864 case AUDITPIPE_SET_PRESELECT_AUID: 865 aip = (struct auditpipe_ioctl_preselect *)data; 866 audit_pipe_preselect_set(ap, aip->aip_auid, aip->aip_mask); 867 error = 0; 868 break; 869 870 case AUDITPIPE_DELETE_PRESELECT_AUID: 871 auid = *(au_id_t *)data; 872 error = audit_pipe_preselect_delete(ap, auid); 873 break; 874 875 case AUDITPIPE_FLUSH_PRESELECT_AUID: 876 audit_pipe_preselect_flush(ap); 877 error = 0; 878 break; 879 880 case AUDITPIPE_GET_PRESELECT_MODE: 881 AUDIT_PIPE_LOCK(ap); 882 *(int *)data = ap->ap_preselect_mode; 883 AUDIT_PIPE_UNLOCK(ap); 884 error = 0; 885 break; 886 887 case AUDITPIPE_SET_PRESELECT_MODE: 888 mode = *(int *)data; 889 switch (mode) { 890 case AUDITPIPE_PRESELECT_MODE_TRAIL: 891 case AUDITPIPE_PRESELECT_MODE_LOCAL: 892 AUDIT_PIPE_LOCK(ap); 893 ap->ap_preselect_mode = mode; 894 AUDIT_PIPE_UNLOCK(ap); 895 error = 0; 896 break; 897 898 default: 899 error = EINVAL; 900 } 901 break; 902 903 case AUDITPIPE_FLUSH: 904 if (AUDIT_PIPE_SX_XLOCK_SIG(ap) != 0) 905 return (EINTR); 906 AUDIT_PIPE_LOCK(ap); 907 audit_pipe_flush(ap); 908 AUDIT_PIPE_UNLOCK(ap); 909 AUDIT_PIPE_SX_XUNLOCK(ap); 910 error = 0; 911 break; 912 913 case AUDITPIPE_GET_MAXAUDITDATA: 914 *(u_int *)data = MAXAUDITDATA; 915 error = 0; 916 break; 917 918 case AUDITPIPE_GET_INSERTS: 919 *(u_int *)data = ap->ap_inserts; 920 error = 0; 921 break; 922 923 case AUDITPIPE_GET_READS: 924 *(u_int *)data = ap->ap_reads; 925 error = 0; 926 break; 927 928 case AUDITPIPE_GET_DROPS: 929 *(u_int *)data = ap->ap_drops; 930 error = 0; 931 break; 932 933 case AUDITPIPE_GET_TRUNCATES: 934 *(u_int *)data = 0; 935 error = 0; 936 break; 937 938 default: 939 error = ENOTTY; 940 } 941 return (error); 942} 943 944/* 945 * Audit pipe read. Read one or more partial or complete records to user 946 * memory. 947 */ 948static int 949audit_pipe_read(struct cdev *dev, struct uio *uio, int flag) 950{ 951 struct audit_pipe_entry *ape; 952 struct audit_pipe *ap; 953 u_int toread; 954 int error; 955 956 ap = dev->si_drv1; 957 KASSERT(ap != NULL, ("audit_pipe_read: ap == NULL")); 958 959 /* 960 * We hold an sx(9) lock over read and flush because we rely on the 961 * stability of a record in the queue during uiomove(9). 962 */ 963 if (AUDIT_PIPE_SX_XLOCK_SIG(ap) != 0) 964 return (EINTR); 965 AUDIT_PIPE_LOCK(ap); 966 while (TAILQ_EMPTY(&ap->ap_queue)) { 967 if (ap->ap_flags & AUDIT_PIPE_NBIO) { 968 AUDIT_PIPE_UNLOCK(ap); 969 AUDIT_PIPE_SX_XUNLOCK(ap); 970 return (EAGAIN); 971 } 972 error = cv_wait_sig(&ap->ap_cv, AUDIT_PIPE_MTX(ap)); 973 if (error) { 974 AUDIT_PIPE_UNLOCK(ap); 975 AUDIT_PIPE_SX_XUNLOCK(ap); 976 return (error); 977 } 978 } 979 980 /* 981 * Copy as many remaining bytes from the current record to userspace 982 * as we can. Keep processing records until we run out of records in 983 * the queue, or until the user buffer runs out of space. 984 * 985 * Note: we rely on the SX lock to maintain ape's stability here. 986 */ 987 ap->ap_reads++; 988 while ((ape = TAILQ_FIRST(&ap->ap_queue)) != NULL && 989 uio->uio_resid > 0) { 990 AUDIT_PIPE_LOCK_ASSERT(ap); 991 992 KASSERT(ape->ape_record_len > ap->ap_qoffset, 993 ("audit_pipe_read: record_len > qoffset (1)")); 994 toread = MIN(ape->ape_record_len - ap->ap_qoffset, 995 uio->uio_resid); 996 AUDIT_PIPE_UNLOCK(ap); 997 error = uiomove((char *)ape->ape_record + ap->ap_qoffset, 998 toread, uio); 999 if (error) { 1000 AUDIT_PIPE_SX_XUNLOCK(ap); 1001 return (error); 1002 } 1003 1004 /* 1005 * If the copy succeeded, update book-keeping, and if no 1006 * bytes remain in the current record, free it. 1007 */ 1008 AUDIT_PIPE_LOCK(ap); 1009 KASSERT(TAILQ_FIRST(&ap->ap_queue) == ape, 1010 ("audit_pipe_read: queue out of sync after uiomove")); 1011 ap->ap_qoffset += toread; 1012 KASSERT(ape->ape_record_len >= ap->ap_qoffset, 1013 ("audit_pipe_read: record_len >= qoffset (2)")); 1014 if (ap->ap_qoffset == ape->ape_record_len) { 1015 TAILQ_REMOVE(&ap->ap_queue, ape, ape_queue); 1016 ap->ap_qbyteslen -= ape->ape_record_len; 1017 audit_pipe_entry_free(ape); 1018 ap->ap_qlen--; 1019 ap->ap_qoffset = 0; 1020 } 1021 } 1022 AUDIT_PIPE_UNLOCK(ap); 1023 AUDIT_PIPE_SX_XUNLOCK(ap); 1024 return (0); 1025} 1026 1027/* 1028 * Audit pipe poll. 1029 */ 1030static int 1031audit_pipe_poll(struct cdev *dev, int events, struct thread *td) 1032{ 1033 struct audit_pipe *ap; 1034 int revents; 1035 1036 revents = 0; 1037 ap = dev->si_drv1; 1038 KASSERT(ap != NULL, ("audit_pipe_poll: ap == NULL")); 1039 1040 if (events & (POLLIN | POLLRDNORM)) { 1041 AUDIT_PIPE_LOCK(ap); 1042 if (TAILQ_FIRST(&ap->ap_queue) != NULL) 1043 revents |= events & (POLLIN | POLLRDNORM); 1044 else 1045 selrecord(td, &ap->ap_selinfo); 1046 AUDIT_PIPE_UNLOCK(ap); 1047 } 1048 return (revents); 1049} 1050 1051/* 1052 * Audit pipe kqfilter. 1053 */ 1054static int 1055audit_pipe_kqfilter(struct cdev *dev, struct knote *kn) 1056{ 1057 struct audit_pipe *ap; 1058 1059 ap = dev->si_drv1; 1060 KASSERT(ap != NULL, ("audit_pipe_kqfilter: ap == NULL")); 1061 1062 if (kn->kn_filter != EVFILT_READ) 1063 return (EINVAL); 1064 1065 kn->kn_fop = &audit_pipe_read_filterops; 1066 kn->kn_hook = ap; 1067 1068 AUDIT_PIPE_LOCK(ap); 1069 knlist_add(&ap->ap_selinfo.si_note, kn, 1); 1070 AUDIT_PIPE_UNLOCK(ap); 1071 return (0); 1072} 1073 1074/* 1075 * Return true if there are records available for reading on the pipe. 1076 */ 1077static int 1078audit_pipe_kqread(struct knote *kn, long hint) 1079{ 1080 struct audit_pipe *ap; 1081 1082 ap = (struct audit_pipe *)kn->kn_hook; 1083 KASSERT(ap != NULL, ("audit_pipe_kqread: ap == NULL")); 1084 AUDIT_PIPE_LOCK_ASSERT(ap); 1085 1086 if (ap->ap_qlen != 0) { 1087 kn->kn_data = ap->ap_qbyteslen - ap->ap_qoffset; 1088 return (1); 1089 } else { 1090 kn->kn_data = 0; 1091 return (0); 1092 } 1093} 1094 1095/* 1096 * Detach kqueue state from audit pipe. 1097 */ 1098static void 1099audit_pipe_kqdetach(struct knote *kn) 1100{ 1101 struct audit_pipe *ap; 1102 1103 ap = (struct audit_pipe *)kn->kn_hook; 1104 KASSERT(ap != NULL, ("audit_pipe_kqdetach: ap == NULL")); 1105 1106 AUDIT_PIPE_LOCK(ap); 1107 knlist_remove(&ap->ap_selinfo.si_note, kn, 1); 1108 AUDIT_PIPE_UNLOCK(ap); 1109} 1110 1111/* 1112 * Initialize the audit pipe system. 1113 */ 1114static void 1115audit_pipe_init(void *unused) 1116{ 1117 1118 TAILQ_INIT(&audit_pipe_list); 1119 AUDIT_PIPE_LIST_LOCK_INIT(); 1120 1121 clone_setup(&audit_pipe_clones); 1122 audit_pipe_eh_tag = EVENTHANDLER_REGISTER(dev_clone, 1123 audit_pipe_clone, 0, 1000); 1124 if (audit_pipe_eh_tag == NULL) 1125 panic("audit_pipe_init: EVENTHANDLER_REGISTER"); 1126} 1127 1128SYSINIT(audit_pipe_init, SI_SUB_DRIVERS, SI_ORDER_MIDDLE, audit_pipe_init, 1129 NULL); 1130