1/*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2011, David E. O'Brien. 5 * Copyright (c) 2009-2011, Juniper Networks, Inc. 6 * Copyright (c) 2015-2016, EMC Corp. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY JUNIPER NETWORKS AND CONTRIBUTORS ``AS IS'' AND 19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL JUNIPER NETWORKS OR CONTRIBUTORS BE LIABLE 22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28 * SUCH DAMAGE. 29 */ 30 31#include <sys/param.h> 32#include <sys/file.h> 33#include <sys/systm.h> 34#include <sys/buf.h> 35#include <sys/capsicum.h> 36#include <sys/condvar.h> 37#include <sys/conf.h> 38#include <sys/fcntl.h> 39#include <sys/ioccom.h> 40#include <sys/kernel.h> 41#include <sys/lock.h> 42#include <sys/malloc.h> 43#include <sys/module.h> 44#include <sys/poll.h> 45#include <sys/proc.h> 46#include <sys/sx.h> 47#include <sys/syscall.h> 48#include <sys/sysent.h> 49#include <sys/sysproto.h> 50#include <sys/uio.h> 51 52#include "filemon.h" 53 54#if defined(COMPAT_FREEBSD32) 55#include <compat/freebsd32/freebsd32_syscall.h> 56#include <compat/freebsd32/freebsd32_proto.h> 57#include <compat/freebsd32/freebsd32_util.h> 58#endif 59 60static d_close_t filemon_close; 61static d_ioctl_t filemon_ioctl; 62static d_open_t filemon_open; 63 64static struct cdevsw filemon_cdevsw = { 65 .d_version = D_VERSION, 66 .d_close = filemon_close, 67 .d_ioctl = filemon_ioctl, 68 .d_open = filemon_open, 69 .d_name = "filemon", 70}; 71 72MALLOC_DECLARE(M_FILEMON); 73MALLOC_DEFINE(M_FILEMON, "filemon", "File access monitor"); 74 75/* 76 * The filemon->lock protects several things currently: 77 * - fname1/fname2/msgbufr are pre-allocated and used per syscall 78 * for logging and copyins rather than stack variables. 79 * - Serializing the filemon's log output. 80 * - Preventing inheritance or removal of the filemon into proc.p_filemon. 81 */ 82struct filemon { 83 struct sx lock; /* Lock for this filemon. */ 84 struct file *fp; /* Output file pointer. */ 85 struct ucred *cred; /* Credential of tracer. */ 86 char fname1[MAXPATHLEN]; /* Temporary filename buffer. */ 87 char fname2[MAXPATHLEN]; /* Temporary filename buffer. */ 88 char msgbufr[2*MAXPATHLEN + 100]; /* Output message buffer. */ 89 int error; /* Log write error, returned on close(2). */ 90 u_int refcnt; /* Pointer reference count. */ 91 u_int proccnt; /* Process count. */ 92}; 93 94static struct cdev *filemon_dev; 95static void filemon_output(struct filemon *filemon, char *msg, size_t len); 96 97static __inline struct filemon * 98filemon_acquire(struct filemon *filemon) 99{ 100 101 if (filemon != NULL) 102 refcount_acquire(&filemon->refcnt); 103 return (filemon); 104} 105 106/* 107 * Release a reference and free on the last one. 108 */ 109static void 110filemon_release(struct filemon *filemon) 111{ 112 113 if (refcount_release(&filemon->refcnt) == 0) 114 return; 115 /* 116 * There are valid cases of releasing while locked, such as in 117 * filemon_untrack_processes, but none which are done where there 118 * is not at least 1 reference remaining. 119 */ 120 sx_assert(&filemon->lock, SA_UNLOCKED); 121 122 if (filemon->cred != NULL) 123 crfree(filemon->cred); 124 sx_destroy(&filemon->lock); 125 free(filemon, M_FILEMON); 126} 127 128/* 129 * Acquire the proc's p_filemon reference and lock the filemon. 130 * The proc's p_filemon may not match this filemon on return. 131 */ 132static struct filemon * 133filemon_proc_get(struct proc *p) 134{ 135 struct filemon *filemon; 136 137 if (p->p_filemon == NULL) 138 return (NULL); 139 PROC_LOCK(p); 140 filemon = filemon_acquire(p->p_filemon); 141 PROC_UNLOCK(p); 142 143 if (filemon == NULL) 144 return (NULL); 145 /* 146 * The p->p_filemon may have changed by now. That case is handled 147 * by the exit and fork hooks and filemon_attach_proc specially. 148 */ 149 sx_xlock(&filemon->lock); 150 return (filemon); 151} 152 153/* Remove and release the filemon on the given process. */ 154static void 155filemon_proc_drop(struct proc *p) 156{ 157 struct filemon *filemon; 158 159 KASSERT(p->p_filemon != NULL, ("%s: proc %p NULL p_filemon", 160 __func__, p)); 161 sx_assert(&p->p_filemon->lock, SA_XLOCKED); 162 PROC_LOCK(p); 163 filemon = p->p_filemon; 164 p->p_filemon = NULL; 165 --filemon->proccnt; 166 PROC_UNLOCK(p); 167 /* 168 * This should not be the last reference yet. filemon_release() 169 * cannot be called with filemon locked, which the caller expects 170 * will stay locked. 171 */ 172 KASSERT(filemon->refcnt > 1, ("%s: proc %p dropping filemon %p " 173 "with last reference", __func__, p, filemon)); 174 filemon_release(filemon); 175} 176 177/* Unlock and release the filemon. */ 178static __inline void 179filemon_drop(struct filemon *filemon) 180{ 181 182 sx_xunlock(&filemon->lock); 183 filemon_release(filemon); 184} 185 186#include "filemon_wrapper.c" 187 188static void 189filemon_write_header(struct filemon *filemon) 190{ 191 int len; 192 struct timeval now; 193 194 getmicrotime(&now); 195 196 len = snprintf(filemon->msgbufr, sizeof(filemon->msgbufr), 197 "# filemon version %d\n# Target pid %d\n# Start %ju.%06ju\nV %d\n", 198 FILEMON_VERSION, curproc->p_pid, (uintmax_t)now.tv_sec, 199 (uintmax_t)now.tv_usec, FILEMON_VERSION); 200 if (len < sizeof(filemon->msgbufr)) 201 filemon_output(filemon, filemon->msgbufr, len); 202} 203 204/* 205 * Invalidate the passed filemon in all processes. 206 */ 207static void 208filemon_untrack_processes(struct filemon *filemon) 209{ 210 struct proc *p; 211 212 sx_assert(&filemon->lock, SA_XLOCKED); 213 214 /* Avoid allproc loop if there is no need. */ 215 if (filemon->proccnt == 0) 216 return; 217 218 /* 219 * Processes in this list won't go away while here since 220 * filemon_event_process_exit() will lock on filemon->lock 221 * which we hold. 222 */ 223 sx_slock(&allproc_lock); 224 FOREACH_PROC_IN_SYSTEM(p) { 225 /* 226 * No PROC_LOCK is needed to compare here since it is 227 * guaranteed to not change since we have its filemon 228 * locked. Everything that changes this p_filemon will 229 * be locked on it. 230 */ 231 if (p->p_filemon == filemon) 232 filemon_proc_drop(p); 233 } 234 sx_sunlock(&allproc_lock); 235 236 /* 237 * It's possible some references were acquired but will be 238 * dropped shortly as they are restricted from being 239 * inherited. There is at least the reference in cdevpriv remaining. 240 */ 241 KASSERT(filemon->refcnt > 0, ("%s: filemon %p should have " 242 "references still.", __func__, filemon)); 243 KASSERT(filemon->proccnt == 0, ("%s: filemon %p should not have " 244 "attached procs still.", __func__, filemon)); 245} 246 247/* 248 * Close out the log. 249 */ 250static void 251filemon_close_log(struct filemon *filemon) 252{ 253 struct file *fp; 254 struct timeval now; 255 size_t len; 256 257 sx_assert(&filemon->lock, SA_XLOCKED); 258 if (filemon->fp == NULL) 259 return; 260 261 getmicrotime(&now); 262 263 len = snprintf(filemon->msgbufr, 264 sizeof(filemon->msgbufr), 265 "# Stop %ju.%06ju\n# Bye bye\n", 266 (uintmax_t)now.tv_sec, (uintmax_t)now.tv_usec); 267 268 if (len < sizeof(filemon->msgbufr)) 269 filemon_output(filemon, filemon->msgbufr, len); 270 fp = filemon->fp; 271 filemon->fp = NULL; 272 273 sx_xunlock(&filemon->lock); 274 fdrop(fp, curthread); 275 sx_xlock(&filemon->lock); 276} 277 278/* 279 * The devfs file is being closed. Untrace all processes. It is possible 280 * filemon_close/close(2) was not called. 281 */ 282static void 283filemon_dtr(void *data) 284{ 285 struct filemon *filemon = data; 286 287 if (filemon == NULL) 288 return; 289 290 sx_xlock(&filemon->lock); 291 /* 292 * Detach the filemon. It cannot be inherited after this. 293 */ 294 filemon_untrack_processes(filemon); 295 filemon_close_log(filemon); 296 filemon_drop(filemon); 297} 298 299/* Attach the filemon to the process. */ 300static int 301filemon_attach_proc(struct filemon *filemon, struct proc *p) 302{ 303 struct filemon *filemon2; 304 305 sx_assert(&filemon->lock, SA_XLOCKED); 306 PROC_LOCK_ASSERT(p, MA_OWNED); 307 KASSERT((p->p_flag & P_WEXIT) == 0, 308 ("%s: filemon %p attaching to exiting process %p", 309 __func__, filemon, p)); 310 KASSERT((p->p_flag & P_INEXEC) == 0, 311 ("%s: filemon %p attaching to execing process %p", 312 __func__, filemon, p)); 313 314 if (p->p_filemon == filemon) 315 return (0); 316 /* 317 * Don't allow truncating other process traces. It is 318 * not really intended to trace procs other than curproc 319 * anyhow. 320 */ 321 if (p->p_filemon != NULL && p != curproc) 322 return (EBUSY); 323 /* 324 * Historic behavior of filemon has been to let a child initiate 325 * tracing on itself and cease existing tracing. Bmake 326 * .META + .MAKE relies on this. It is only relevant for attaching to 327 * curproc. 328 */ 329 while (p->p_filemon != NULL) { 330 PROC_UNLOCK(p); 331 sx_xunlock(&filemon->lock); 332 while ((filemon2 = filemon_proc_get(p)) != NULL) { 333 /* It may have changed. */ 334 if (p->p_filemon == filemon2) 335 filemon_proc_drop(p); 336 filemon_drop(filemon2); 337 } 338 sx_xlock(&filemon->lock); 339 PROC_LOCK(p); 340 /* 341 * It may have been attached to, though unlikely. 342 * Try again if needed. 343 */ 344 } 345 346 KASSERT(p->p_filemon == NULL, 347 ("%s: proc %p didn't detach filemon %p", __func__, p, 348 p->p_filemon)); 349 p->p_filemon = filemon_acquire(filemon); 350 ++filemon->proccnt; 351 352 return (0); 353} 354 355static int 356filemon_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag __unused, 357 struct thread *td) 358{ 359 struct filemon *filemon; 360 struct file *fp; 361 struct proc *p; 362 int error; 363 364 if ((error = devfs_get_cdevpriv((void **) &filemon)) != 0) 365 return (error); 366 367 sx_xlock(&filemon->lock); 368 369 switch (cmd) { 370 /* Set the output file descriptor. */ 371 case FILEMON_SET_FD: 372 if (filemon->fp != NULL) { 373 error = EEXIST; 374 break; 375 } 376 377 error = fget_write(td, *(int *)data, &cap_pwrite_rights, &fp); 378 if (error == 0) { 379 /* 380 * The filemon handle may be passed to another process, 381 * so the underlying file handle must support this. 382 */ 383 if ((fp->f_ops->fo_flags & DFLAG_PASSABLE) == 0) { 384 fdrop(fp, curthread); 385 error = EINVAL; 386 break; 387 } 388 filemon->fp = fp; 389 /* Write the file header. */ 390 filemon_write_header(filemon); 391 } 392 break; 393 394 /* Set the monitored process ID. */ 395 case FILEMON_SET_PID: 396 /* Invalidate any existing processes already set. */ 397 filemon_untrack_processes(filemon); 398 399 error = pget(*((pid_t *)data), 400 PGET_CANDEBUG | PGET_NOTWEXIT | PGET_NOTINEXEC, &p); 401 if (error == 0) { 402 KASSERT(p->p_filemon != filemon, 403 ("%s: proc %p didn't untrack filemon %p", 404 __func__, p, filemon)); 405 error = filemon_attach_proc(filemon, p); 406 PROC_UNLOCK(p); 407 } 408 break; 409 410 default: 411 error = EINVAL; 412 break; 413 } 414 415 sx_xunlock(&filemon->lock); 416 return (error); 417} 418 419static int 420filemon_open(struct cdev *dev, int oflags __unused, int devtype __unused, 421 struct thread *td) 422{ 423 int error; 424 struct filemon *filemon; 425 426 filemon = malloc(sizeof(*filemon), M_FILEMON, 427 M_WAITOK | M_ZERO); 428 sx_init(&filemon->lock, "filemon"); 429 refcount_init(&filemon->refcnt, 1); 430 filemon->cred = crhold(td->td_ucred); 431 432 error = devfs_set_cdevpriv(filemon, filemon_dtr); 433 if (error != 0) 434 filemon_release(filemon); 435 436 return (error); 437} 438 439/* Called on close of last devfs file handle, before filemon_dtr(). */ 440static int 441filemon_close(struct cdev *dev __unused, int flag __unused, int fmt __unused, 442 struct thread *td __unused) 443{ 444 struct filemon *filemon; 445 int error; 446 447 if ((error = devfs_get_cdevpriv((void **) &filemon)) != 0) 448 return (error); 449 450 sx_xlock(&filemon->lock); 451 filemon_close_log(filemon); 452 error = filemon->error; 453 sx_xunlock(&filemon->lock); 454 /* 455 * Processes are still being traced but won't log anything 456 * now. After this call returns filemon_dtr() is called which 457 * will detach processes. 458 */ 459 460 return (error); 461} 462 463static void 464filemon_load(void *dummy __unused) 465{ 466 467 /* Install the syscall wrappers. */ 468 filemon_wrapper_install(); 469 470 filemon_dev = make_dev(&filemon_cdevsw, 0, UID_ROOT, GID_WHEEL, 0666, 471 "filemon"); 472} 473 474static int 475filemon_unload(void) 476{ 477 478 destroy_dev(filemon_dev); 479 filemon_wrapper_deinstall(); 480 481 return (0); 482} 483 484static int 485filemon_modevent(module_t mod __unused, int type, void *data) 486{ 487 int error = 0; 488 489 switch (type) { 490 case MOD_LOAD: 491 filemon_load(data); 492 break; 493 494 case MOD_UNLOAD: 495 error = filemon_unload(); 496 break; 497 498 case MOD_QUIESCE: 499 /* 500 * The wrapper implementation is unsafe for reliable unload. 501 * Require forcing an unload. 502 */ 503 error = EBUSY; 504 break; 505 506 case MOD_SHUTDOWN: 507 break; 508 509 default: 510 error = EOPNOTSUPP; 511 break; 512 513 } 514 515 return (error); 516} 517 518DEV_MODULE(filemon, filemon_modevent, NULL); 519MODULE_VERSION(filemon, 1); 520