Date: Tue, 27 Sep 2005 16:18:50 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 84353 for review Message-ID: <200509271618.j8RGIomC006408@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=84353 Change 84353 by rwatson@rwatson_zoo on 2005/09/27 16:18:33 Move implementation of /dev/audit into audit_trigger.c, exposing an additional function, audit_trigger_init(), which will be run from audit_init(). Given the audit trigger queue its own mutex. Trim unneeded includes. While here, since our trigger mechanism doesn't support failure to enqueue a message (unlike mach port writes), remove failure handling from kern_audit.c, which simplifies things quite a bit. Annotate that the implementation broken out here is actually wsalamon's, so should probably be under his copyright and license, not an Apple one. Affected files ... .. //depot/projects/trustedbsd/audit3/sys/conf/files#7 edit .. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_private.h#2 edit .. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_trigger.c#2 edit .. //depot/projects/trustedbsd/audit3/sys/security/audit/kern_audit.c#42 edit Differences ... ==== //depot/projects/trustedbsd/audit3/sys/conf/files#7 (text+ko) ==== @@ -1843,6 +1843,7 @@ posix4/p1003_1b.c standard posix4/posix4_mib.c standard rpc/rpcclnt.c optional nfsclient +security/audit/audit_trigger.c optional audit security/audit/kern_audit.c standard security/audit/kern_bsm_audit.c optional audit security/audit/kern_bsm_klib.c optional audit ==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit_private.h#2 (text+ko) ==== @@ -51,6 +51,13 @@ int semctl_to_event(int cmr); void canon_path(struct thread *td, char *path, char *cpath); +/* + * Audit trigger events notify user space of kernel audit conditions + * asynchronously. + */ +void audit_trigger_init(void); +void send_trigger(unsigned int trigger); + #endif /* _KERNEL */ #endif /* ! _BSM_AUDIT_KLIB_H_ */ ==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit_trigger.c#2 (text+ko) ==== @@ -18,183 +18,22 @@ * under the License. * * @APPLE_LICENSE_HEADER_END@ + * + * XXXRW: Should be a wsalamon copyright and license? */ #include <sys/param.h> -#include <sys/condvar.h> #include <sys/conf.h> -#include <sys/file.h> -#include <sys/filedesc.h> -#include <sys/fcntl.h> -#include <sys/ipc.h> #include <sys/kernel.h> -#include <sys/kthread.h> #include <sys/malloc.h> -#include <sys/mount.h> -#include <sys/namei.h> #include <sys/proc.h> #include <sys/queue.h> -#include <sys/socket.h> -#include <sys/socketvar.h> -#include <sys/protosw.h> -#include <sys/domain.h> -#include <sys/sysproto.h> -#include <sys/sysent.h> #include <sys/systm.h> -#include <sys/ucred.h> #include <sys/uio.h> -#include <sys/un.h> -#include <sys/unistd.h> -#include <sys/vnode.h> -#include <netinet/in.h> -#include <netinet/in_pcb.h> - -#include <bsm/audit.h> -#include <bsm/audit_kevents.h> -#include <security/audit/audit.h> -#include <security/audit/audit_klib.h> - -/* - * XXXAUDIT: Might be nice to use a UMA zone for records, and malloc(9) only - * for things like triggers, temporary storage, etc. - */ -MALLOC_DEFINE(M_AUDIT, "audit", "Audit event records"); - -#ifdef AUDIT - -/* - * The AUDIT_EXCESSIVELY_VERBOSE define enables a number of - * gratuitously noisy printf's to the console. Due to the - * volume, it should be left off unless you want your system - * to churn a lot whenever the audit record flow gets high. - */ -//#define AUDIT_EXCESSIVELY_VERBOSE -#ifdef AUDIT_EXCESSIVELY_VERBOSE -#define AUDIT_PRINTF(x) printf x -#else -#define AUDIT_PRINTF(X) -#endif - -#if 0 -#if DIAGNOSTIC -#if defined(assert) -#undef assert() -#endif -#define assert(cond) \ - ((void) ((cond) ? 0 : panic("%s:%d (%s)", __FILE__, __LINE__, # cond))) -#else -#include <kern/assert.h> -#endif /* DIAGNOSTIC */ -#endif -#define assert(x) KASSERT(x, x) - -/* - * Define the audit control flags. - */ -int audit_enabled; -int audit_suspended; - -/* - * Mutex to protect global variables shared between various threads and - * processes. - */ -static struct mtx audit_mtx; - -/* - * Queue of audit records ready for delivery to disk. We insert new - * records at the tail, and remove records from the head. Also, - * a count of the number of records used for checking queue depth. - * In addition, a counter of records that we have allocated but are - * not yet in the queue, which is needed to estimate the total - * size of the combined set of records outstanding in the system. - */ -static TAILQ_HEAD(, kaudit_record) audit_q; -static int audit_q_len; -static int audit_pre_q_len; - -/* - * Condition variable to signal to the worker that it has work to do: - * either new records are in the queue, or a log replacement is taking - * place. - */ -static struct cv audit_cv; - -/* - * Worker thread that will schedule disk I/O, etc. - */ -static struct proc *audit_thread; - -/* - * When an audit log is rotated, the actual rotation must be performed - * by the audit worker thread, as it may have outstanding writes on the - * current audit log. audit_replacement_vp holds the vnode replacing - * the current vnode. We can't let more than one replacement occur - * at a time, so if more than one thread requests a replacement, only - * one can have the replacement "in progress" at any given moment. If - * a thread tries to replace the audit vnode and discovers a replacement - * is already in progress (i.e., audit_replacement_flag != 0), then it - * will sleep on audit_replacement_cv waiting its turn to perform a - * replacement. When a replacement is completed, this cv is signalled - * by the worker thread so a waiting thread can start another replacement. - * We also store a credential to perform audit log write operations with. - * - * The current credential and vnode are thread-local to audit_worker. - */ -static struct cv audit_replacement_cv; - -static int audit_replacement_flag; -static struct vnode *audit_replacement_vp; -static struct ucred *audit_replacement_cred; - -/* - * Condition variable to signal to the worker that it has work to do: - * either new records are in the queue, or a log replacement is taking - * place. - */ -static struct cv audit_commit_cv; - -/* - * Condition variable for auditing threads wait on when in fail-stop mode. - * Threads wait on this CV forever (and ever), never seeing the light of - * day again. - */ -static struct cv audit_fail_cv; - -static struct au_qctrl audit_qctrl; - -/* - * Flags to use on audit files when opening and closing. - */ -const static int audit_open_flags = FWRITE | O_APPEND; -const static int audit_close_flags = FWRITE | O_APPEND; - -/* - * Global audit statistiscs. - */ -static struct audit_fstat audit_fstat; - -/* - Preselection mask for non-attributable events. - */ -static struct au_mask audit_nae_mask; +#include <security/audit/audit_private.h> /* - * Flags related to Kernel->user-space communication. - */ -static int audit_file_rotate_wait; - -/* - * Flags controlling behavior in low storage situations. - * Should we panic if a write fails? Should we fail stop - * if we're out of disk space? Are we currently "failing - * stop" due to out of disk space? - */ -static int audit_panic_on_write_fail; -static int audit_fail_stop; -static int audit_in_failure; - -/* * Structures and operations to support the basic character special device * used to communicate with userland. */ @@ -205,11 +44,7 @@ static struct cdev *audit_dev; static int audit_isopen = 0; static TAILQ_HEAD(, trigger_info) trigger_list; - -/* - * Forward declarations of static functions. - */ -static void audit_shutdown(void *arg, int howto); +static struct mtx audit_trigger_mtx; static int audit_open(struct cdev *dev, int oflags, int devtype, struct thread *td) @@ -217,7 +52,7 @@ int error; // Only one process may open the device at a time - mtx_lock(&audit_mtx); + mtx_lock(&audit_trigger_mtx); if (!audit_isopen) { error = 0; audit_isopen = 1; @@ -227,7 +62,7 @@ */ error = EOPNOTSUPP; } - mtx_unlock(&audit_mtx); + mtx_unlock(&audit_trigger_mtx); return (error); } @@ -238,14 +73,14 @@ struct trigger_info *ti; /* Drain the queue of pending trigger events */ - mtx_lock(&audit_mtx); + mtx_lock(&audit_trigger_mtx); audit_isopen = 0; while (!TAILQ_EMPTY(&trigger_list)) { ti = TAILQ_FIRST(&trigger_list); TAILQ_REMOVE(&trigger_list, ti, list); free(ti, M_AUDIT); } - mtx_unlock(&audit_mtx); + mtx_unlock(&audit_trigger_mtx); return (0); } @@ -255,9 +90,9 @@ int error = 0; struct trigger_info *ti = NULL; - mtx_lock(&audit_mtx); + mtx_lock(&audit_trigger_mtx); while (TAILQ_EMPTY(&trigger_list)) { - error = msleep(&trigger_list, &audit_mtx, PSOCK | PCATCH, + error = msleep(&trigger_list, &audit_trigger_mtx, PSOCK | PCATCH, "auditd", 0); if (error) break; @@ -266,7 +101,7 @@ ti = TAILQ_FIRST(&trigger_list); TAILQ_REMOVE(&trigger_list, ti, list); } - mtx_unlock(&audit_mtx); + mtx_unlock(&audit_trigger_mtx); if (!error) { error = uiomove(ti, sizeof *ti, uio); free(ti, M_AUDIT); @@ -282,29 +117,25 @@ return EOPNOTSUPP; } -/* - * XXXAUDIT: Since we can't fail this call, we should not have a return - * value. - */ -static int +void send_trigger(unsigned int trigger) { struct trigger_info *ti; /* If nobody's listening, we ain't talking */ if (!audit_isopen) - return 0; + return; /* * XXXAUDIT: Use a condition variable instead of msleep/wakeup? */ ti = malloc(sizeof *ti, M_AUDIT, M_WAITOK); - mtx_lock(&audit_mtx); + mtx_lock(&audit_trigger_mtx); ti->trigger = trigger; TAILQ_INSERT_TAIL(&trigger_list, ti, list); wakeup(&trigger_list); - mtx_unlock(&audit_mtx); - return 0; + mtx_unlock(&audit_trigger_mtx); + return; } static struct cdevsw audit_cdevsw = { @@ -316,463 +147,16 @@ .d_name = "audit" }; -/* - * XXXAUDIT: For consistency, perhaps audit_record_free()? - */ -static void -audit_free(struct kaudit_record *ar) -{ - - if (ar->k_ar.ar_arg_upath1 != NULL) { - free(ar->k_ar.ar_arg_upath1, M_AUDIT); - } - if (ar->k_ar.ar_arg_upath2 != NULL) { - free(ar->k_ar.ar_arg_upath2, M_AUDIT); - } - if (ar->k_ar.ar_arg_kpath1 != NULL) { - free(ar->k_ar.ar_arg_kpath1, M_AUDIT); - } - if (ar->k_ar.ar_arg_kpath2 != NULL) { - free(ar->k_ar.ar_arg_kpath2, M_AUDIT); - } - if (ar->k_ar.ar_arg_text != NULL) { - free(ar->k_ar.ar_arg_text, M_AUDIT); - } - if (ar->k_udata != NULL) { - free(ar->k_udata, M_AUDIT); - } - free(ar, M_AUDIT); -} - -/* - * XXXAUDIT: Should adjust comments below to make it clear that we get to - * this point only if we believe we have storage, so not having space here - * is a violation of invariants derived from administrative procedures. - * I.e., someone else has written to the audit partition, leaving less space - * than we accounted for. - */ -static int -audit_record_write(struct vnode *vp, struct kaudit_record *ar, - struct ucred *cred, struct thread *td) -{ - int ret; - long temp; - struct au_record *bsm; - struct vattr vattr; - struct statfs *mnt_stat = &vp->v_mount->mnt_stat; - int vfslocked; - - vfslocked = VFS_LOCK_GIANT(vp->v_mount); - - /* - * First, gather statistics on the audit log file and file system - * so that we know how we're doing on space. In both cases, - * if we're unable to perform the operation, we drop the record - * and return. However, this is arguably an assertion failure. - * XXX Need a FreeBSD equivalent. - */ - ret = VFS_STATFS(vp->v_mount, mnt_stat, td); - if (ret) - goto out; - - ret = VOP_GETATTR(vp, &vattr, cred, td); - if (ret) - goto out; - - /* update the global stats struct */ - audit_fstat.af_currsz = vattr.va_size; - - /* - * XXX Need to decide what to do if the trigger to the audit daemon - * fails. - */ - - /* - * If we fall below minimum free blocks (hard limit), tell the audit - * daemon to force a rotation off of the file system. We also stop - * writing, which means this audit record is probably lost. - * If we fall below the minimum percent free blocks (soft limit), - * then kindly suggest to the audit daemon to do something. - */ - if (mnt_stat->f_bfree < AUDIT_HARD_LIMIT_FREE_BLOCKS) { - ret = send_trigger(AUDIT_TRIGGER_NO_SPACE); - if (ret != 0) { - printf( - "Failed audit_triggers(AUDIT_TRIGGER_NO_SPACE): %d\n", ret); - /* - * XXX: What to do here? Disable auditing? - * panic? - */ - } - /* Hopefully userspace did something about all the previous - * triggers that were sent prior to this critical condition. - * If fail-stop is set, then we're done; goodnight Gracie. - */ - if (audit_fail_stop) - panic("Audit log space exhausted and fail-stop set."); - else { - audit_suspended = 1; - ret = ENOSPC; - goto out; - } - } else - /* - * Send a message to the audit daemon that disk space - * is getting low. - * - * XXXAUDIT: Check math and block size calculation here. - */ - if (audit_qctrl.aq_minfree != 0) { - temp = mnt_stat->f_blocks / (100 / - audit_qctrl.aq_minfree); - if (mnt_stat->f_bfree < temp) { - ret = send_trigger(AUDIT_TRIGGER_LOW_SPACE); - if (ret != 0) { - printf( - "Failed audit_triggers(AUDIT_TRIGGER_LOW_SPACE): %d\n", ret); - } - } - } - - /* Check if the current log file is full; if so, call for - * a log rotate. This is not an exact comparison; we may - * write some records over the limit. If that's not - * acceptable, then add a fudge factor here. - */ - if ((audit_fstat.af_filesz != 0) && - (audit_file_rotate_wait == 0) && - (vattr.va_size >= audit_fstat.af_filesz)) { - audit_file_rotate_wait = 1; - ret = send_trigger(AUDIT_TRIGGER_OPEN_NEW); - if (ret != 0) { - printf( - "Failed audit_triggers(AUDIT_TRIGGER_OPEN_NEW): %d\n", ret); - /* XXX what to do here? */ - } - } - - /* - * If the estimated amount of audit data in the audit event queue - * (plus records allocated but not yet queued) has reached the - * amount of free space on the disk, then we need to go into an - * audit fail stop state, in which we do not permit the - * allocation/committing of any new audit records. We continue to - * process packets but don't allow any activities that might - * generate new records. In the future, we might want to detect - * when space is available again and allow operation to continue, - * but this behavior is sufficient to meet fail stop requirements - * in CAPP. - */ - if (audit_fail_stop && - (unsigned long) - ((audit_q_len + audit_pre_q_len + 1) * MAX_AUDIT_RECORD_SIZE) / - mnt_stat->f_bsize >= (unsigned long)(mnt_stat->f_bfree)) { - printf( - "audit_worker: free space below size of audit queue, failing stop\n"); - audit_in_failure = 1; - } - - /* - * If there is a user audit record attached to the kernel record, - * then write the user record. - */ - /* XXX Need to decide a few things here: IF the user audit - * record is written, but the write of the kernel record fails, - * what to do? Should the kernel record come before or after the - * user record? For now, we write the user record first, and - * we ignore errors. - */ - if (ar->k_ar_commit & AR_COMMIT_USER) { - ret = vn_rdwr(UIO_WRITE, vp, (void *)ar->k_udata, ar->k_ulen, - (off_t)0, UIO_SYSSPACE, IO_APPEND|IO_UNIT, cred, NULL, - NULL, td); - if (ret) - goto out; - } - - /* - * Convert the internal kernel record to BSM format and write it - * out if everything's OK. - */ - if (!(ar->k_ar_commit & AR_COMMIT_KERNEL)) { - ret = 0; - goto out; - } - - /* - * XXXAUDIT: Should we actually allow this conversion to fail? With - * sleeping memory allocation and invariants checks, perhaps not. - */ - ret = kaudit_to_bsm(ar, &bsm); - if (ret == BSM_NOAUDIT) { - ret = 0; - goto out; - } - - /* - * XXX: We drop the record on BSM conversion failure, but really - * this is an assertion failure. - */ - if (ret == BSM_FAILURE) { - AUDIT_PRINTF(("BSM conversion failure\n")); - ret = EINVAL; - goto out; - } - - /* - * XXX - * We should break the write functionality away from the BSM record - * generation and have the BSM generation done before this function - * is called. This function will then take the BSM record as a - * parameter. - */ - ret = (vn_rdwr(UIO_WRITE, vp, (void *)bsm->data, bsm->len, - (off_t)0, UIO_SYSSPACE, IO_APPEND|IO_UNIT, cred, NULL, NULL, td)); - - kau_free(bsm); - -out: - /* - * When we're done processing the current record, we have to - * check to see if we're in a failure mode, and if so, whether - * this was the last record left to be drained. If we're done - * draining, then we fsync the vnode and panic. - */ - if (audit_in_failure && - audit_q_len == 0 && audit_pre_q_len == 0) { - VOP_LOCK(vp, LK_DRAIN | LK_INTERLOCK, td); - (void)VOP_FSYNC(vp, MNT_WAIT, td); - VOP_UNLOCK(vp, 0, td); - panic("Audit store overflow; record queue drained."); - } - - VFS_UNLOCK_GIANT(vfslocked); - - return (ret); -} - -/* - * The audit_worker thread is responsible for watching the event queue, - * dequeueing records, converting them to BSM format, and committing them to - * disk. In order to minimize lock thrashing, records are dequeued in sets - * to a thread-local work queue. In addition, the audit_work performs the - * actual exchange of audit log vnode pointer, as audit_vp is a thread-local - * variable. - */ -static void -audit_worker(void *arg) -{ - int do_replacement_signal, error; - TAILQ_HEAD(, kaudit_record) ar_worklist; - struct kaudit_record *ar; - struct vnode *audit_vp, *old_vp; - int vfslocked; - - struct ucred *audit_cred, *old_cred; - struct thread *audit_td; - - AUDIT_PRINTF(("audit_worker starting\n")); - - /* - * These are thread-local variables requiring no synchronization. - */ - TAILQ_INIT(&ar_worklist); - audit_cred = NULL; - audit_td = curthread; - audit_vp = NULL; - - mtx_lock(&audit_mtx); - while (1) { - /* - * First priority: replace the audit log target if requested. - * Accessing the vnode here requires dropping the audit_mtx; - * in case another replacement was scheduled while the mutex - * was released, we loop. - * - * XXX It could well be we should drain existing records - * first to ensure that the timestamps and ordering - * are right. - */ - do_replacement_signal = 0; - while (audit_replacement_flag != 0) { - old_cred = audit_cred; - old_vp = audit_vp; - audit_cred = audit_replacement_cred; - audit_vp = audit_replacement_vp; - audit_replacement_cred = NULL; - audit_replacement_vp = NULL; - audit_replacement_flag = 0; - - audit_enabled = (audit_vp != NULL); - - /* - * XXX: What to do about write failures here? - */ - if (old_vp != NULL) { - AUDIT_PRINTF(("Closing old audit file\n")); - mtx_unlock(&audit_mtx); - vfslocked = VFS_LOCK_GIANT(old_vp->v_mount); - vn_close(old_vp, audit_close_flags, old_cred, - audit_td); - VFS_UNLOCK_GIANT(vfslocked); - crfree(old_cred); - mtx_lock(&audit_mtx); - old_cred = NULL; - old_vp = NULL; - AUDIT_PRINTF(("Audit file closed\n")); - } - if (audit_vp != NULL) { - AUDIT_PRINTF(("Opening new audit file\n")); - } - do_replacement_signal = 1; - } - /* - * Signal that replacement have occurred to wake up and - * start any other replacements started in parallel. We can - * continue about our business in the mean time. We - * broadcast so that both new replacements can be inserted, - * but also so that the source(s) of replacement can return - * successfully. - */ - if (do_replacement_signal) - cv_broadcast(&audit_replacement_cv); - - /* - * Next, check to see if we have any records to drain into - * the vnode. If not, go back to waiting for an event. - */ - if (TAILQ_EMPTY(&audit_q)) { - AUDIT_PRINTF(("audit_worker waiting\n")); - cv_wait(&audit_cv, &audit_mtx); - AUDIT_PRINTF(("audit_worker woken up\n")); - AUDIT_PRINTF(("audit_worker: new vp = %p; value of flag %d\n", - audit_replacement_vp, audit_replacement_flag)); - continue; - } - - /* - * If we have records, but there's no active vnode to - * write to, drain the record queue. Generally, we - * prevent the unnecessary allocation of records - * elsewhere, but we need to allow for races between - * conditional allocation and queueing. Go back to - * waiting when we're done. - * - * XXX: We go out of our way to avoid calling audit_free() - * with the audit_mtx held, to avoid a lock order reversal - * as free() may grab Giant. This should be fixed at - * some point. - */ - if (audit_vp == NULL) { - while ((ar = TAILQ_FIRST(&audit_q))) { - TAILQ_REMOVE(&audit_q, ar, k_q); - audit_q_len--; - if (audit_q_len <= audit_qctrl.aq_lowater) - cv_broadcast(&audit_commit_cv); - - TAILQ_INSERT_TAIL(&ar_worklist, ar, k_q); - } - mtx_unlock(&audit_mtx); - while ((ar = TAILQ_FIRST(&ar_worklist))) { - TAILQ_REMOVE(&ar_worklist, ar, k_q); - audit_free(ar); - } - mtx_lock(&audit_mtx); - continue; - } - - /* - * We have both records to write and an active vnode - * to write to. Dequeue a record, and start the write. - * Eventually, it might make sense to dequeue several - * records and perform our own clustering, if the lower - * layers aren't doing it automatically enough. - * - * XXX: We go out of our way to avoid calling audit_free() - * with the audit_mtx held, to avoid a lock order reversal - * as free() may grab Giant. This should be fixed at - * some point. - * - * XXXAUDIT: free() no longer grabs Giant. - */ - while ((ar = TAILQ_FIRST(&audit_q))) { - TAILQ_REMOVE(&audit_q, ar, k_q); - audit_q_len--; - if (audit_q_len <= audit_qctrl.aq_lowater) - cv_broadcast(&audit_commit_cv); - - TAILQ_INSERT_TAIL(&ar_worklist, ar, k_q); - } - - mtx_unlock(&audit_mtx); - while ((ar = TAILQ_FIRST(&ar_worklist))) { - TAILQ_REMOVE(&ar_worklist, ar, k_q); - if (audit_vp != NULL) { - error = audit_record_write(audit_vp, ar, - audit_cred, audit_td); - if (error && audit_panic_on_write_fail) - panic("audit_worker: write error %d\n", - error); - else if (error) - printf("audit_worker: write error %d\n", - error); - } - audit_free(ar); - } - mtx_lock(&audit_mtx); - } -} - -/* - * Initialize the Audit subsystem: configuration state, work queue, - * synchronization primitives, worker thread, and trigger device node. Also - * call into the BSM assembly code to initialize it. - */ -static void -audit_init(void) +void +audit_trigger_init(void) { - int error; - - printf("Security auditing service present\n"); - TAILQ_INIT(&audit_q); - audit_q_len = 0; - audit_pre_q_len = 0; - audit_enabled = 0; - audit_suspended = 0; - audit_replacement_cred = NULL; - audit_replacement_flag = 0; - audit_file_rotate_wait = 0; - audit_replacement_vp = NULL; - audit_fstat.af_filesz = 0; /* '0' means unset, unbounded */ - audit_fstat.af_currsz = 0; - audit_qctrl.aq_hiwater = AQ_HIWATER; - audit_qctrl.aq_lowater = AQ_LOWATER; - audit_qctrl.aq_bufsz = AQ_BUFSZ; - audit_qctrl.aq_minfree = AU_FS_MINFREE; - - mtx_init(&audit_mtx, "audit_mtx", NULL, MTX_DEF); - cv_init(&audit_cv, "audit_cv"); - cv_init(&audit_replacement_cv, "audit_replacement_cv"); - cv_init(&audit_commit_cv, "audit_commit_cv"); - cv_init(&audit_fail_cv, "audit_fail_cv"); - - /* Initialize the BSM audit subsystem. */ - kau_init(); TAILQ_INIT(&trigger_list); - - /* Register shutdown handler. */ - EVENTHANDLER_REGISTER(shutdown_pre_sync, audit_shutdown, NULL, - SHUTDOWN_PRI_FIRST); - - error = kthread_create(audit_worker, NULL, &audit_thread, RFHIGHPID, - 0, "audit_worker"); - if (error != 0) - panic("audit_init: kthread_create returned %d", error); + mtx_init(&audit_trigger_mtx, "audit_trigger_mtx", NULL, MTX_DEF); } static void -audit_cdev_init(void *unused) +audit_trigger_cdev_init(void *unused) { /* Create the special device file */ @@ -780,1768 +164,5 @@ AUDITDEV_FILENAME); } -SYSINIT(audit_init, SI_SUB_AUDIT, SI_ORDER_FIRST, audit_init, NULL) -SYSINIT(audit_cdev_init, SI_SUB_DRIVERS, SI_ORDER_MIDDLE, audit_cdev_init, - NULL) - -/* - * audit_rotate_vnode() is called by a user or kernel thread to configure or - * de-configure auditing on a vnode. The arguments are the replacement - * credential and vnode to substitute for the current credential and vnode, - * if any. If either is set to NULL, both should be NULL, and this is used - * to indicate that audit is being disabled. The real work is done in the - * audit_worker thread, but audit_rotate_vnode() waits synchronously for that - * to complete. - * - * The vnode should be referenced and opened by the caller. The credential - * should be referenced. audit_rotate_vnode() will own both references as of - * this call, so the caller should not release either. - * - * XXXAUDIT: Review synchronize communication logic. Really, this is a - * message queue of depth 1. - * - * XXXAUDIT: Enhance the comments below to indicate that we are basically - * acquiring ownership of the communications queue, inserting our message, - * and waiting for an acknowledgement. - */ -static void -audit_rotate_vnode(struct ucred *cred, struct vnode *vp) -{ - - /* - * If other parallel log replacements have been requested, we wait - * until they've finished before continuing. - */ - mtx_lock(&audit_mtx); - while (audit_replacement_flag != 0) { - AUDIT_PRINTF(("audit_rotate_vnode: sleeping to wait for " - "flag\n")); - cv_wait(&audit_replacement_cv, &audit_mtx); - AUDIT_PRINTF(("audit_rotate_vnode: woken up (flag %d)\n", - audit_replacement_flag)); - } - audit_replacement_cred = cred; - audit_replacement_flag = 1; - audit_replacement_vp = vp; - - /* - * Wake up the audit worker to perform the exchange once we - * release the mutex. - */ - cv_signal(&audit_cv); - - /* - * Wait for the audit_worker to broadcast that a replacement has - * taken place; we know that once this has happened, our vnode - * has been replaced in, so we can return successfully. - */ - AUDIT_PRINTF(("audit_rotate_vnode: waiting for news of " - "replacement\n")); - cv_wait(&audit_replacement_cv, &audit_mtx); - AUDIT_PRINTF(("audit_rotate_vnode: change acknowledged by " - "audit_worker (flag " "now %d)\n", audit_replacement_flag)); - mtx_unlock(&audit_mtx); - - /* XXX Need to figure out how the kernel->userspace file full - * signalling will take place. - * - * XXXAUDIT: This comment may now be obsolete. - */ - audit_file_rotate_wait = 0; /* We can now request another rotation */ -} - -/* - * Drain the audit queue and close the log at shutdown. Note that this can - * be called both from the system shutdown path and also from audit - * configuration syscalls, so 'arg' and 'howto' are ignored. - */ -static void -audit_shutdown(void *arg, int howto) -{ - - audit_rotate_vnode(NULL, NULL); -} - -/* - * Return the current thread's audit record, if any. - */ -static __inline__ struct kaudit_record * -currecord(void) -{ - - return (curthread->td_ar); -} - -/********************************** - * Begin system calls. * - **********************************/ -/* - * MPSAFE - * - * System call to allow a user space application to submit a BSM audit - * record to the kernel for inclusion in the audit log. This function - * does little verification on the audit record that is submitted. - * - * XXXAUDIT: Audit preselection for user records does not currently - * work, since we pre-select only based on the AUE_audit event type, - * not the event type submitted as part of the user audit data. - */ -/* ARGSUSED */ -int -audit(struct thread *td, struct audit_args *uap) -{ - int error; - void * rec; - struct kaudit_record *ar; - - error = suser(td); - if (error) - return (error); - - if ((uap->length <= 0) || (uap->length > audit_qctrl.aq_bufsz)) - return (EINVAL); - - ar = currecord(); - - /* If there's no current audit record (audit() itself not audited) - * commit the user audit record. - */ - if (ar == NULL) { - - /* This is not very efficient; we're required to allocate - * a complete kernel audit record just so the user record - * can tag along. - * - * XXXAUDIT: Maybe AUE_AUDIT in the system call context and - * special pre-select handling? - */ - td->td_ar = audit_new(AUE_NULL, td); - if (td->td_ar == NULL) - return (ENOTSUP); - ar = td->td_ar; - } - - if (uap->length > MAX_AUDIT_RECORD_SIZE) - return (EINVAL); - - rec = malloc(uap->length, M_AUDIT, M_WAITOK); - - error = copyin(uap->record, rec, uap->length); - if (error) - goto free_out; - - /* Verify the record */ - if (bsm_rec_verify(rec) == 0) { - error = EINVAL; - goto free_out; - } - - /* Attach the user audit record to the kernel audit record. Because - * this system call is an auditable event, we will write the user - * record along with the record for this audit event. - * - * XXXAUDIT: KASSERT appropriate starting values of k_udata, k_ulen, - * k_ar_commit & AR_COMMIT_USER? - */ - ar->k_udata = rec; - ar->k_ulen = uap->length; - ar->k_ar_commit |= AR_COMMIT_USER; - return (0); - -free_out: - /* audit_syscall_exit() will free the audit record on the thread - * even if we allocated it above. - */ - free(rec, M_AUDIT); - return (error); -} - -/* - * MPSAFE - * - * System call to manipulate auditing. - */ -/* ARGSUSED */ -int >>> TRUNCATED FOR MAIL (1000 lines) <<<
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200509271618.j8RGIomC006408>