/*- * SPDX-License-Identifier: BSD-3-Clause * * Copyright (c) 1999-2008 Apple Inc. * Copyright (c) 2006-2008, 2016, 2018 Robert N. M. Watson * All rights reserved. * * Portions of this software were developed by BAE Systems, the University of * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent * Computing (TC) research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. Neither the name of Apple Inc. ("Apple") nor the names of * its contributors may be used to endorse or promote products derived * from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include /* * Worker thread that will schedule disk I/O, etc. */ static struct proc *audit_thread; /* * audit_cred and audit_vp are the stored credential and vnode to use for * active audit trail. They are protected by the audit worker lock, which * will be held across all I/O and all rotation to prevent them from being * replaced (rotated) while in use. The audit_file_rotate_wait flag is set * when the kernel has delivered a trigger to auditd to rotate the trail, and * is cleared when the next rotation takes place. It is also protected by * the audit worker lock. */ static int audit_file_rotate_wait; static struct ucred *audit_cred; static struct vnode *audit_vp; static off_t audit_size; static struct sx audit_worker_lock; #define AUDIT_WORKER_LOCK_INIT() sx_init(&audit_worker_lock, \ "audit_worker_lock"); #define AUDIT_WORKER_LOCK_ASSERT() sx_assert(&audit_worker_lock, \ SA_XLOCKED) #define AUDIT_WORKER_LOCK() sx_xlock(&audit_worker_lock) #define AUDIT_WORKER_UNLOCK() sx_xunlock(&audit_worker_lock) static void audit_worker_sync_vp(struct vnode *vp, struct mount *mp, const char *fmt, ...) { struct mount *mp1; int error; va_list va; va_start(va, fmt); error = vn_start_write(vp, &mp1, 0); if (error == 0) { VOP_LOCK(vp, LK_EXCLUSIVE | LK_RETRY); (void)VOP_FSYNC(vp, MNT_WAIT, curthread); VOP_UNLOCK(vp); vn_finished_write(mp1); } vfs_unbusy(mp); vpanic(fmt, va); va_end(va); } /* * Write an audit record to a file, performed as the last stage after both * preselection and BSM conversion. Both space management and write failures * are handled in this function. * * No attempt is made to deal with possible failure to deliver a trigger to * the audit daemon, since the message is asynchronous anyway. */ static void audit_record_write(struct vnode *vp, struct ucred *cred, void *data, size_t len) { static struct timeval last_lowspace_trigger; static struct timeval last_fail; static int cur_lowspace_trigger; struct statfs *mnt_stat; struct mount *mp; int error; static int cur_fail; long temp; AUDIT_WORKER_LOCK_ASSERT(); if (vp == NULL) return; mp = vp->v_mount; if (mp == NULL) { error = EINVAL; goto fail; } error = vfs_busy(mp, 0); if (error != 0) { mp = NULL; goto fail; } mnt_stat = &mp->mnt_stat; /* * First, gather statistics on the audit log file and file system so * that we know how we're doing on space. Consider failure of these * operations to indicate a future inability to write to the file. */ error = VFS_STATFS(mp, mnt_stat); if (error != 0) goto fail; /* * We handle four different space-related limits: * * - A fixed (hard) limit on the minimum free blocks we require on * the file system, and results in record loss, a trigger, and * possible fail stop due to violating invariants. * * - An administrative (soft) limit, which when fallen below, results * in the kernel notifying the audit daemon of low space. * * - An audit trail size limit, which when gone above, results in the * kernel notifying the audit daemon that rotation is desired. * * - The total depth of the kernel audit record exceeding free space, * which can lead to possible fail stop (with drain), in order to * prevent violating invariants. Failure here doesn't halt * immediately, but prevents new records from being generated. * * Possibly, the last of these should be handled differently, always * allowing a full queue to be lost, rather than trying to prevent * loss. * * First, handle the hard limit, which generates a trigger and may * fail stop. This is handled in the same manner as ENOSPC from * VOP_WRITE, and results in record loss. */ if (mnt_stat->f_bfree < AUDIT_HARD_LIMIT_FREE_BLOCKS) { error = ENOSPC; goto fail_enospc; } /* * Second, handle falling below the soft limit, if defined; we send * the daemon a trigger and continue processing the record. Triggers * are limited to 1/sec. */ if (audit_qctrl.aq_minfree != 0) { temp = mnt_stat->f_blocks / (100 / audit_qctrl.aq_minfree); if (mnt_stat->f_bfree < temp) { if (ppsratecheck(&last_lowspace_trigger, &cur_lowspace_trigger, 1)) { (void)audit_send_trigger( AUDIT_TRIGGER_LOW_SPACE); printf("Warning: disk space low (< %d%% free) " "on audit log file-system\n", audit_qctrl.aq_minfree); } } } /* * If the current file is getting full, generate a rotation trigger * to the daemon. This is only approximate, which is fine as more * records may be generated before the daemon rotates the file. */ if (audit_fstat.af_filesz != 0 && audit_size >= audit_fstat.af_filesz * (audit_file_rotate_wait + 1)) { AUDIT_WORKER_LOCK_ASSERT(); audit_file_rotate_wait++; (void)audit_send_trigger(AUDIT_TRIGGER_ROTATE_KERNEL); } /* * If the estimated amount of audit data in the audit event queue * (plus records allocated but not yet queued) has reached the amount * of free space on the disk, then we need to go into an audit fail * stop state, in which we do not permit the allocation/committing of * any new audit records. We continue to process records but don't * allow any activities that might generate new records. In the * future, we might want to detect when space is available again and * allow operation to continue, but this behavior is sufficient to * meet fail stop requirements in CAPP. */ if (audit_fail_stop) { if ((unsigned long)((audit_q_len + audit_pre_q_len + 1) * MAX_AUDIT_RECORD_SIZE) / mnt_stat->f_bsize >= (unsigned long)(mnt_stat->f_bfree)) { if (ppsratecheck(&last_fail, &cur_fail, 1)) printf("audit_record_write: free space " "below size of audit queue, failing " "stop\n"); audit_in_failure = 1; } else if (audit_in_failure) { /* * Note: if we want to handle recovery, this is the * spot to do it: unset audit_in_failure, and issue a * wakeup on the cv. */ } } error = vn_rdwr(UIO_WRITE, vp, data, len, (off_t)0, UIO_SYSSPACE, IO_APPEND|IO_UNIT, cred, NULL, NULL, curthread); if (error == ENOSPC) goto fail_enospc; else if (error) goto fail; AUDIT_WORKER_LOCK_ASSERT(); audit_size += len; /* * Catch completion of a queue drain here; if we're draining and the * queue is now empty, fail stop. That audit_fail_stop is implicitly * true, since audit_in_failure can only be set of audit_fail_stop is * set. * * Note: if we handle recovery from audit_in_failure, then we need to * make panic here conditional. */ if (audit_in_failure) { if (audit_q_len == 0 && audit_pre_q_len == 0) { audit_worker_sync_vp(vp, mp, "Audit store overflow; record queue drained."); } } vfs_unbusy(mp); return; fail_enospc: /* * ENOSPC is considered a special case with respect to failures, as * this can reflect either our preemptive detection of insufficient * space, or ENOSPC returned by the vnode write call. */ if (audit_fail_stop) { audit_worker_sync_vp(vp, mp, "Audit log space exhausted and fail-stop set."); } (void)audit_send_trigger(AUDIT_TRIGGER_NO_SPACE); audit_trail_suspended = 1; audit_syscalls_enabled_update(); /* FALLTHROUGH */ fail: /* * We have failed to write to the file, so the current record is * lost, which may require an immediate system halt. */ if (audit_panic_on_write_fail) { audit_worker_sync_vp(vp, mp, "audit_worker: write error %d\n", error); } else if (ppsratecheck(&last_fail, &cur_fail, 1)) printf("audit_worker: write error %d\n", error); if (mp != NULL) vfs_unbusy(mp); } /* * Given a kernel audit record, process as required. Kernel audit records * are converted to one, or possibly two, BSM records, depending on whether * there is a user audit record present also. Kernel records need be * converted to BSM before they can be written out. Both types will be * written to disk, and audit pipes. */ static void audit_worker_process_record(struct kaudit_record *ar) { struct au_record *bsm; au_class_t class; au_event_t event; au_id_t auid; int error, sorf; int locked; /* * We hold the audit worker lock over both writes, if there are two, * so that the two records won't be split across a rotation and end * up in two different trail files. */ if (((ar->k_ar_commit & AR_COMMIT_USER) && (ar->k_ar_commit & AR_PRESELECT_USER_TRAIL)) || (ar->k_ar_commit & AR_PRESELECT_TRAIL)) { AUDIT_WORKER_LOCK(); locked = 1; } else locked = 0; /* * First, handle the user record, if any: commit to the system trail * and audit pipes as selected. */ if ((ar->k_ar_commit & AR_COMMIT_USER) && (ar->k_ar_commit & AR_PRESELECT_USER_TRAIL)) { AUDIT_WORKER_LOCK_ASSERT(); audit_record_write(audit_vp, audit_cred, ar->k_udata, ar->k_ulen); } if ((ar->k_ar_commit & AR_COMMIT_USER) && (ar->k_ar_commit & AR_PRESELECT_USER_PIPE)) audit_pipe_submit_user(ar->k_udata, ar->k_ulen); if (!(ar->k_ar_commit & AR_COMMIT_KERNEL) || ((ar->k_ar_commit & AR_PRESELECT_PIPE) == 0 && (ar->k_ar_commit & AR_PRESELECT_TRAIL) == 0 && (ar->k_ar_commit & AR_PRESELECT_DTRACE) == 0)) goto out; auid = ar->k_ar.ar_subj_auid; event = ar->k_ar.ar_event; class = au_event_class(event); if (ar->k_ar.ar_errno == 0) sorf = AU_PRS_SUCCESS; else sorf = AU_PRS_FAILURE; error = kaudit_to_bsm(ar, &bsm); switch (error) { case BSM_NOAUDIT: goto out; case BSM_FAILURE: printf("audit_worker_process_record: BSM_FAILURE\n"); goto out; case BSM_SUCCESS: break; default: panic("kaudit_to_bsm returned %d", error); } if (ar->k_ar_commit & AR_PRESELECT_TRAIL) { AUDIT_WORKER_LOCK_ASSERT(); audit_record_write(audit_vp, audit_cred, bsm->data, bsm->len); } if (ar->k_ar_commit & AR_PRESELECT_PIPE) audit_pipe_submit(auid, event, class, sorf, ar->k_ar_commit & AR_PRESELECT_TRAIL, bsm->data, bsm->len); #ifdef KDTRACE_HOOKS /* * Version of the dtaudit commit hook that accepts BSM. */ if (ar->k_ar_commit & AR_PRESELECT_DTRACE) { if (dtaudit_hook_bsm != NULL) dtaudit_hook_bsm(ar, auid, event, class, sorf, bsm->data, bsm->len); } #endif kau_free(bsm); out: if (locked) AUDIT_WORKER_UNLOCK(); } /* * The audit_worker thread is responsible for watching the event queue, * dequeueing records, converting them to BSM format, and committing them to * disk. In order to minimize lock thrashing, records are dequeued in sets * to a thread-local work queue. * * Note: this means that the effect bound on the size of the pending record * queue is 2x the length of the global queue. */ static void audit_worker(void *arg) { struct kaudit_queue ar_worklist; struct kaudit_record *ar; int lowater_signal; TAILQ_INIT(&ar_worklist); mtx_lock(&audit_mtx); while (1) { mtx_assert(&audit_mtx, MA_OWNED); /* * Wait for a record. */ while (TAILQ_EMPTY(&audit_q)) cv_wait(&audit_worker_cv, &audit_mtx); /* * If there are records in the global audit record queue, * transfer them to a thread-local queue and process them * one by one. If we cross the low watermark threshold, * signal any waiting processes that they may wake up and * continue generating records. */ lowater_signal = 0; while ((ar = TAILQ_FIRST(&audit_q))) { TAILQ_REMOVE(&audit_q, ar, k_q); audit_q_len--; if (audit_q_len == audit_qctrl.aq_lowater) lowater_signal++; TAILQ_INSERT_TAIL(&ar_worklist, ar, k_q); } if (lowater_signal) cv_broadcast(&audit_watermark_cv); mtx_unlock(&audit_mtx); while ((ar = TAILQ_FIRST(&ar_worklist))) { TAILQ_REMOVE(&ar_worklist, ar, k_q); audit_worker_process_record(ar); audit_free(ar); } mtx_lock(&audit_mtx); } } /* * audit_rotate_vnode() is called by a user or kernel thread to configure or * de-configure auditing on a vnode. The arguments are the replacement * credential (referenced) and vnode (referenced and opened) to substitute * for the current credential and vnode, if any. If either is set to NULL, * both should be NULL, and this is used to indicate that audit is being * disabled. Any previous cred/vnode will be closed and freed. We re-enable * generating rotation requests to auditd. */ void audit_rotate_vnode(struct ucred *cred, struct vnode *vp) { struct ucred *old_audit_cred; struct vnode *old_audit_vp; struct vattr vattr; KASSERT((cred != NULL && vp != NULL) || (cred == NULL && vp == NULL), ("audit_rotate_vnode: cred %p vp %p", cred, vp)); if (vp != NULL) { vn_lock(vp, LK_SHARED | LK_RETRY); if (VOP_GETATTR(vp, &vattr, cred) != 0) vattr.va_size = 0; VOP_UNLOCK(vp); } else { vattr.va_size = 0; } /* * Rotate the vnode/cred, and clear the rotate flag so that we will * send a rotate trigger if the new file fills. */ AUDIT_WORKER_LOCK(); old_audit_cred = audit_cred; old_audit_vp = audit_vp; audit_cred = cred; audit_vp = vp; audit_size = vattr.va_size; audit_file_rotate_wait = 0; audit_trail_enabled = (audit_vp != NULL); audit_syscalls_enabled_update(); AUDIT_WORKER_UNLOCK(); /* * If there was an old vnode/credential, close and free. */ if (old_audit_vp != NULL) { vn_close(old_audit_vp, AUDIT_CLOSE_FLAGS, old_audit_cred, curthread); crfree(old_audit_cred); } } void audit_worker_init(void) { int error; AUDIT_WORKER_LOCK_INIT(); error = kproc_create(audit_worker, NULL, &audit_thread, RFHIGHPID, 0, "audit"); if (error) panic("audit_worker_init: kproc_create returned %d", error); }