1/*- 2 * SPDX-License-Identifier: BSD-4-Clause 3 * 4 * Copyright (c) 1982, 1986, 1989, 1993 5 * The Regents of the University of California. All rights reserved. 6 * (c) UNIX System Laboratories, Inc. 7 * Copyright (c) 2005 Robert N. M. Watson 8 * All rights reserved. 9 * 10 * All or some portions of this file are derived from material licensed 11 * to the University of California by American Telephone and Telegraph 12 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 13 * the permission of UNIX System Laboratories, Inc. 14 * 15 * Redistribution and use in source and binary forms, with or without 16 * modification, are permitted provided that the following conditions 17 * are met: 18 * 1. Redistributions of source code must retain the above copyright 19 * notice, this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright 21 * notice, this list of conditions and the following disclaimer in the 22 * documentation and/or other materials provided with the distribution. 23 * 3. Neither the name of the University nor the names of its contributors 24 * may be used to endorse or promote products derived from this software 25 * without specific prior written permission. 26 * 27 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 30 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * 39 * Copyright (c) 1994 Christopher G. Demetriou 40 * 41 * Redistribution and use in source and binary forms, with or without 42 * modification, are permitted provided that the following conditions 43 * are met: 44 * 1. Redistributions of source code must retain the above copyright 45 * notice, this list of conditions and the following disclaimer. 46 * 2. Redistributions in binary form must reproduce the above copyright 47 * notice, this list of conditions and the following disclaimer in the 48 * documentation and/or other materials provided with the distribution. 49 * 3. All advertising materials mentioning features or use of this software 50 * must display the following acknowledgement: 51 * This product includes software developed by the University of 52 * California, Berkeley and its contributors. 53 * 4. Neither the name of the University nor the names of its contributors 54 * may be used to endorse or promote products derived from this software 55 * without specific prior written permission. 56 * 57 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 58 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 59 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 60 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 61 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 62 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 63 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 64 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 65 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 66 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 67 * SUCH DAMAGE. 68 */ 69 70#include <sys/param.h> 71#include <sys/systm.h> 72#include <sys/acct.h> 73#include <sys/fcntl.h> 74#include <sys/kernel.h> 75#include <sys/kthread.h> 76#include <sys/limits.h> 77#include <sys/lock.h> 78#include <sys/malloc.h> 79#include <sys/mount.h> 80#include <sys/mutex.h> 81#include <sys/namei.h> 82#include <sys/priv.h> 83#include <sys/proc.h> 84#include <sys/resourcevar.h> 85#include <sys/sched.h> 86#include <sys/sx.h> 87#include <sys/sysctl.h> 88#include <sys/syslog.h> 89#include <sys/sysproto.h> 90#include <sys/tty.h> 91#include <sys/vnode.h> 92 93#include <security/mac/mac_framework.h> 94 95_Static_assert(sizeof(struct acctv3) - offsetof(struct acctv3, ac_trailer) == 96 sizeof(struct acctv2) - offsetof(struct acctv2, ac_trailer), "trailer"); 97_Static_assert(sizeof(struct acctv3) - offsetof(struct acctv3, ac_len2) == 98 sizeof(struct acctv2) - offsetof(struct acctv2, ac_len2), "len2"); 99 100/* 101 * The routines implemented in this file are described in: 102 * Leffler, et al.: The Design and Implementation of the 4.3BSD 103 * UNIX Operating System (Addison Welley, 1989) 104 * on pages 62-63. 105 * On May 2007 the historic 3 bits base 8 exponent, 13 bit fraction 106 * compt_t representation described in the above reference was replaced 107 * with that of IEEE-754 floats. 108 * 109 * Arguably, to simplify accounting operations, this mechanism should 110 * be replaced by one in which an accounting log file (similar to /dev/klog) 111 * is read by a user process, etc. However, that has its own problems. 112 */ 113 114/* Floating point definitions from <float.h>. */ 115#define FLT_MANT_DIG 24 /* p */ 116#define FLT_MAX_EXP 128 /* emax */ 117 118/* 119 * Internal accounting functions. 120 * The former's operation is described in Leffler, et al., and the latter 121 * was provided by UCB with the 4.4BSD-Lite release 122 */ 123static uint32_t encode_timeval(struct timeval); 124static uint32_t encode_long(long); 125static void acctwatch(void); 126static void acct_thread(void *); 127static int acct_disable(struct thread *, int); 128 129/* 130 * Accounting vnode pointer, saved vnode pointer, and flags for each. 131 * acct_sx protects against changes to the active vnode and credentials 132 * while accounting records are being committed to disk. 133 */ 134static int acct_configured; 135static int acct_suspended; 136static struct vnode *acct_vp; 137static struct ucred *acct_cred; 138static int acct_flags; 139static struct sx acct_sx; 140 141SX_SYSINIT(acct, &acct_sx, "acct_sx"); 142 143/* 144 * State of the accounting kthread. 145 */ 146static int acct_state; 147 148#define ACCT_RUNNING 1 /* Accounting kthread is running. */ 149#define ACCT_EXITREQ 2 /* Accounting kthread should exit. */ 150 151/* 152 * Values associated with enabling and disabling accounting 153 */ 154static int acctsuspend = 2; /* stop accounting when < 2% free space left */ 155SYSCTL_INT(_kern, OID_AUTO, acct_suspend, CTLFLAG_RW, 156 &acctsuspend, 0, "percentage of free disk space below which accounting stops"); 157 158static int acctresume = 4; /* resume when free space risen to > 4% */ 159SYSCTL_INT(_kern, OID_AUTO, acct_resume, CTLFLAG_RW, 160 &acctresume, 0, "percentage of free disk space above which accounting resumes"); 161 162static int acctchkfreq = 15; /* frequency (in seconds) to check space */ 163 164static int 165sysctl_acct_chkfreq(SYSCTL_HANDLER_ARGS) 166{ 167 int error, value; 168 169 /* Write out the old value. */ 170 error = SYSCTL_OUT(req, &acctchkfreq, sizeof(int)); 171 if (error || req->newptr == NULL) 172 return (error); 173 174 /* Read in and verify the new value. */ 175 error = SYSCTL_IN(req, &value, sizeof(int)); 176 if (error) 177 return (error); 178 if (value <= 0) 179 return (EINVAL); 180 acctchkfreq = value; 181 return (0); 182} 183SYSCTL_PROC(_kern, OID_AUTO, acct_chkfreq, 184 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, &acctchkfreq, 0, 185 sysctl_acct_chkfreq, "I", 186 "frequency for checking the free space"); 187 188SYSCTL_INT(_kern, OID_AUTO, acct_configured, CTLFLAG_RD, &acct_configured, 0, 189 "Accounting configured or not"); 190 191SYSCTL_INT(_kern, OID_AUTO, acct_suspended, CTLFLAG_RD, &acct_suspended, 0, 192 "Accounting suspended or not"); 193 194/* 195 * Accounting system call. Written based on the specification and previous 196 * implementation done by Mark Tinguely. 197 */ 198int 199sys_acct(struct thread *td, struct acct_args *uap) 200{ 201 struct nameidata nd; 202 int error, flags, replacing; 203 204 error = priv_check(td, PRIV_ACCT); 205 if (error) 206 return (error); 207 208 /* 209 * If accounting is to be started to a file, open that file for 210 * appending and make sure it's a 'normal'. 211 */ 212 if (uap->path != NULL) { 213 NDINIT(&nd, LOOKUP, NOFOLLOW | AUDITVNODE1, UIO_USERSPACE, 214 uap->path); 215 flags = FWRITE | O_APPEND; 216 error = vn_open(&nd, &flags, 0, NULL); 217 if (error) 218 return (error); 219 NDFREE_PNBUF(&nd); 220#ifdef MAC 221 error = mac_system_check_acct(td->td_ucred, nd.ni_vp); 222 if (error) { 223 VOP_UNLOCK(nd.ni_vp); 224 vn_close(nd.ni_vp, flags, td->td_ucred, td); 225 return (error); 226 } 227#endif 228 VOP_UNLOCK(nd.ni_vp); 229 if (nd.ni_vp->v_type != VREG) { 230 vn_close(nd.ni_vp, flags, td->td_ucred, td); 231 return (EACCES); 232 } 233#ifdef MAC 234 } else { 235 error = mac_system_check_acct(td->td_ucred, NULL); 236 if (error) 237 return (error); 238#endif 239 } 240 241 /* 242 * Disallow concurrent access to the accounting vnode while we swap 243 * it out, in order to prevent access after close. 244 */ 245 sx_xlock(&acct_sx); 246 247 /* 248 * Don't log spurious disable/enable messages if we are 249 * switching from one accounting file to another due to log 250 * rotation. 251 */ 252 replacing = (acct_vp != NULL && uap->path != NULL); 253 254 /* 255 * If accounting was previously enabled, kill the old space-watcher, 256 * close the file, and (if no new file was specified, leave). Reset 257 * the suspended state regardless of whether accounting remains 258 * enabled. 259 */ 260 acct_suspended = 0; 261 if (acct_vp != NULL) 262 error = acct_disable(td, !replacing); 263 if (uap->path == NULL) { 264 if (acct_state & ACCT_RUNNING) { 265 acct_state |= ACCT_EXITREQ; 266 wakeup(&acct_state); 267 } 268 sx_xunlock(&acct_sx); 269 return (error); 270 } 271 272 /* 273 * Save the new accounting file vnode, and schedule the new 274 * free space watcher. 275 */ 276 acct_vp = nd.ni_vp; 277 acct_cred = crhold(td->td_ucred); 278 acct_flags = flags; 279 if (acct_state & ACCT_RUNNING) 280 acct_state &= ~ACCT_EXITREQ; 281 else { 282 /* 283 * Try to start up an accounting kthread. We may start more 284 * than one, but if so the extras will commit suicide as 285 * soon as they start up. 286 */ 287 error = kproc_create(acct_thread, NULL, NULL, 0, 0, 288 "accounting"); 289 if (error) { 290 (void) acct_disable(td, 0); 291 sx_xunlock(&acct_sx); 292 log(LOG_NOTICE, "Unable to start accounting thread\n"); 293 return (error); 294 } 295 } 296 acct_configured = 1; 297 sx_xunlock(&acct_sx); 298 if (!replacing) 299 log(LOG_NOTICE, "Accounting enabled\n"); 300 return (error); 301} 302 303/* 304 * Disable currently in-progress accounting by closing the vnode, dropping 305 * our reference to the credential, and clearing the vnode's flags. 306 */ 307static int 308acct_disable(struct thread *td, int logging) 309{ 310 int error; 311 312 sx_assert(&acct_sx, SX_XLOCKED); 313 error = vn_close(acct_vp, acct_flags, acct_cred, td); 314 crfree(acct_cred); 315 acct_configured = 0; 316 acct_vp = NULL; 317 acct_cred = NULL; 318 acct_flags = 0; 319 if (logging) 320 log(LOG_NOTICE, "Accounting disabled\n"); 321 return (error); 322} 323 324/* 325 * Write out process accounting information, on process exit. 326 * Data to be written out is specified in Leffler, et al. 327 * and are enumerated below. (They're also noted in the system 328 * "acct.h" header file.) 329 */ 330int 331acct_process(struct thread *td) 332{ 333 struct acctv3 acct; 334 struct timeval ut, st, tmp; 335 struct proc *p; 336 struct rusage ru; 337 int t, ret; 338 339 /* 340 * Lockless check of accounting condition before doing the hard 341 * work. 342 */ 343 if (acct_vp == NULL || acct_suspended) 344 return (0); 345 346 memset(&acct, 0, sizeof(acct)); 347 348 sx_slock(&acct_sx); 349 350 /* 351 * If accounting isn't enabled, don't bother. Have to check again 352 * once we own the lock in case we raced with disabling of accounting 353 * by another thread. 354 */ 355 if (acct_vp == NULL || acct_suspended) { 356 sx_sunlock(&acct_sx); 357 return (0); 358 } 359 360 p = td->td_proc; 361 td->td_pflags2 |= TDP2_ACCT; 362 363 /* 364 * Get process accounting information. 365 */ 366 367 sx_slock(&proctree_lock); 368 PROC_LOCK(p); 369 370 /* (1) The terminal from which the process was started */ 371 if ((p->p_flag & P_CONTROLT) && p->p_pgrp->pg_session->s_ttyp) 372 acct.ac_tty = tty_udev(p->p_pgrp->pg_session->s_ttyp); 373 else 374 acct.ac_tty = NODEV; 375 sx_sunlock(&proctree_lock); 376 377 /* (2) The name of the command that ran */ 378 bcopy(p->p_comm, acct.ac_comm, sizeof acct.ac_comm); 379 380 /* (3) The amount of user and system time that was used */ 381 rufetchcalc(p, &ru, &ut, &st); 382 acct.ac_utime = encode_timeval(ut); 383 acct.ac_stime = encode_timeval(st); 384 385 /* (4) The elapsed time the command ran (and its starting time) */ 386 getboottime(&tmp); 387 timevaladd(&tmp, &p->p_stats->p_start); 388 acct.ac_btime = tmp.tv_sec; 389 microuptime(&tmp); 390 timevalsub(&tmp, &p->p_stats->p_start); 391 acct.ac_etime = encode_timeval(tmp); 392 393 /* (5) The average amount of memory used */ 394 tmp = ut; 395 timevaladd(&tmp, &st); 396 /* Convert tmp (i.e. u + s) into hz units to match ru_i*. */ 397 t = tmp.tv_sec * hz + tmp.tv_usec / tick; 398 if (t) 399 acct.ac_mem = encode_long((ru.ru_ixrss + ru.ru_idrss + 400 + ru.ru_isrss) / t); 401 else 402 acct.ac_mem = 0; 403 404 /* (6) The number of disk I/O operations done */ 405 acct.ac_io = encode_long(ru.ru_inblock + ru.ru_oublock); 406 407 /* (7) The UID and GID of the process */ 408 acct.ac_uid = p->p_ucred->cr_ruid; 409 acct.ac_gid = p->p_ucred->cr_rgid; 410 411 /* (8) The boolean flags that tell how the process terminated, etc. */ 412 acct.ac_flagx = p->p_acflag; 413 414 PROC_UNLOCK(p); 415 416 /* Setup ancillary structure fields. */ 417 acct.ac_flagx |= ANVER; 418 acct.ac_zero = 0; 419 acct.ac_version = 3; 420 acct.ac_len = acct.ac_len2 = sizeof(acct); 421 422 /* 423 * Write the accounting information to the file. 424 */ 425 ret = vn_rdwr(UIO_WRITE, acct_vp, (caddr_t)&acct, sizeof (acct), 426 (off_t)0, UIO_SYSSPACE, IO_APPEND|IO_UNIT, acct_cred, NOCRED, 427 NULL, td); 428 sx_sunlock(&acct_sx); 429 td->td_pflags2 &= ~TDP2_ACCT; 430 return (ret); 431} 432 433/* FLOAT_CONVERSION_START (Regression testing; don't remove this line.) */ 434 435/* Convert timevals and longs into IEEE-754 bit patterns. */ 436 437/* Mantissa mask (MSB is implied, so subtract 1). */ 438#define MANT_MASK ((1 << (FLT_MANT_DIG - 1)) - 1) 439 440/* 441 * We calculate integer values to a precision of approximately 442 * 28 bits. 443 * This is high-enough precision to fill the 24 float bits 444 * and low-enough to avoid overflowing the 32 int bits. 445 */ 446#define CALC_BITS 28 447 448/* log_2(1000000). */ 449#define LOG2_1M 20 450 451/* 452 * Convert the elements of a timeval into a 32-bit word holding 453 * the bits of a IEEE-754 float. 454 * The float value represents the timeval's value in microsecond units. 455 */ 456static uint32_t 457encode_timeval(struct timeval tv) 458{ 459 int log2_s; 460 int val, exp; /* Unnormalized value and exponent */ 461 int norm_exp; /* Normalized exponent */ 462 int shift; 463 464 /* 465 * First calculate value and exponent to about CALC_BITS precision. 466 * Note that the following conditionals have been ordered so that 467 * the most common cases appear first. 468 */ 469 if (tv.tv_sec == 0) { 470 if (tv.tv_usec == 0) 471 return (0); 472 exp = 0; 473 val = tv.tv_usec; 474 } else { 475 /* 476 * Calculate the value to a precision of approximately 477 * CALC_BITS. 478 */ 479 log2_s = fls(tv.tv_sec) - 1; 480 if (log2_s + LOG2_1M < CALC_BITS) { 481 exp = 0; 482 val = 1000000 * tv.tv_sec + tv.tv_usec; 483 } else { 484 exp = log2_s + LOG2_1M - CALC_BITS; 485 val = (unsigned int)(((uint64_t)1000000 * tv.tv_sec + 486 tv.tv_usec) >> exp); 487 } 488 } 489 /* Now normalize and pack the value into an IEEE-754 float. */ 490 norm_exp = fls(val) - 1; 491 shift = FLT_MANT_DIG - norm_exp - 1; 492#ifdef ACCT_DEBUG 493 printf("val=%d exp=%d shift=%d log2(val)=%d\n", 494 val, exp, shift, norm_exp); 495 printf("exp=%x mant=%x\n", FLT_MAX_EXP - 1 + exp + norm_exp, 496 ((shift > 0 ? (val << shift) : (val >> -shift)) & MANT_MASK)); 497#endif 498 return (((FLT_MAX_EXP - 1 + exp + norm_exp) << (FLT_MANT_DIG - 1)) | 499 ((shift > 0 ? val << shift : val >> -shift) & MANT_MASK)); 500} 501 502/* 503 * Convert a non-negative long value into the bit pattern of 504 * an IEEE-754 float value. 505 */ 506static uint32_t 507encode_long(long val) 508{ 509 int norm_exp; /* Normalized exponent */ 510 int shift; 511 512 if (val == 0) 513 return (0); 514 if (val < 0) { 515 log(LOG_NOTICE, 516 "encode_long: negative value %ld in accounting record\n", 517 val); 518 val = LONG_MAX; 519 } 520 norm_exp = fls(val) - 1; 521 shift = FLT_MANT_DIG - norm_exp - 1; 522#ifdef ACCT_DEBUG 523 printf("val=%d shift=%d log2(val)=%d\n", 524 val, shift, norm_exp); 525 printf("exp=%x mant=%x\n", FLT_MAX_EXP - 1 + exp + norm_exp, 526 ((shift > 0 ? (val << shift) : (val >> -shift)) & MANT_MASK)); 527#endif 528 return (((FLT_MAX_EXP - 1 + norm_exp) << (FLT_MANT_DIG - 1)) | 529 ((shift > 0 ? val << shift : val >> -shift) & MANT_MASK)); 530} 531 532/* FLOAT_CONVERSION_END (Regression testing; don't remove this line.) */ 533 534/* 535 * Periodically check the filesystem to see if accounting 536 * should be turned on or off. Beware the case where the vnode 537 * has been vgone()'d out from underneath us, e.g. when the file 538 * system containing the accounting file has been forcibly unmounted. 539 */ 540/* ARGSUSED */ 541static void 542acctwatch(void) 543{ 544 struct statfs *sp; 545 546 sx_assert(&acct_sx, SX_XLOCKED); 547 548 /* 549 * If accounting was disabled before our kthread was scheduled, 550 * then acct_vp might be NULL. If so, just ask our kthread to 551 * exit and return. 552 */ 553 if (acct_vp == NULL) { 554 acct_state |= ACCT_EXITREQ; 555 return; 556 } 557 558 /* 559 * If our vnode is no longer valid, tear it down and signal the 560 * accounting thread to die. 561 */ 562 if (acct_vp->v_type == VBAD) { 563 (void) acct_disable(NULL, 1); 564 acct_state |= ACCT_EXITREQ; 565 return; 566 } 567 568 /* 569 * Stopping here is better than continuing, maybe it will be VBAD 570 * next time around. 571 */ 572 sp = malloc(sizeof(struct statfs), M_STATFS, M_WAITOK); 573 if (VFS_STATFS(acct_vp->v_mount, sp) < 0) { 574 free(sp, M_STATFS); 575 return; 576 } 577 if (acct_suspended) { 578 if (sp->f_bavail > (int64_t)(acctresume * sp->f_blocks / 579 100)) { 580 acct_suspended = 0; 581 log(LOG_NOTICE, "Accounting resumed\n"); 582 } 583 } else { 584 if (sp->f_bavail <= (int64_t)(acctsuspend * sp->f_blocks / 585 100)) { 586 acct_suspended = 1; 587 log(LOG_NOTICE, "Accounting suspended\n"); 588 } 589 } 590 free(sp, M_STATFS); 591} 592 593/* 594 * The main loop for the dedicated kernel thread that periodically calls 595 * acctwatch(). 596 */ 597static void 598acct_thread(void *dummy) 599{ 600 u_char pri; 601 602 /* This is a low-priority kernel thread. */ 603 pri = PRI_MAX_KERN; 604 thread_lock(curthread); 605 sched_prio(curthread, pri); 606 thread_unlock(curthread); 607 608 /* If another accounting kthread is already running, just die. */ 609 sx_xlock(&acct_sx); 610 if (acct_state & ACCT_RUNNING) { 611 sx_xunlock(&acct_sx); 612 kproc_exit(0); 613 } 614 acct_state |= ACCT_RUNNING; 615 616 /* Loop until we are asked to exit. */ 617 while (!(acct_state & ACCT_EXITREQ)) { 618 /* Perform our periodic checks. */ 619 acctwatch(); 620 621 /* 622 * We check this flag again before sleeping since the 623 * acctwatch() might have shut down accounting and asked us 624 * to exit. 625 */ 626 if (!(acct_state & ACCT_EXITREQ)) { 627 sx_sleep(&acct_state, &acct_sx, 0, "-", 628 acctchkfreq * hz); 629 } 630 } 631 632 /* 633 * Acknowledge the exit request and shutdown. We clear both the 634 * exit request and running flags. 635 */ 636 acct_state = 0; 637 sx_xunlock(&acct_sx); 638 kproc_exit(0); 639} 640