2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4 * Copyright (c) 2011, David E. O'Brien.
5 * Copyright (c) 2009-2011, Juniper Networks, Inc.
6 * Copyright (c) 2015-2016, EMC Corp.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
18 * THIS SOFTWARE IS PROVIDED BY JUNIPER NETWORKS AND CONTRIBUTORS ``AS IS'' AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL JUNIPER NETWORKS OR CONTRIBUTORS BE LIABLE
22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 #include <sys/cdefs.h>
32 __FBSDID("$FreeBSD$");
34 #include "opt_compat.h"
36 #include <sys/param.h>
38 #include <sys/systm.h>
40 #include <sys/capsicum.h>
41 #include <sys/condvar.h>
43 #include <sys/fcntl.h>
44 #include <sys/ioccom.h>
45 #include <sys/kernel.h>
47 #include <sys/malloc.h>
48 #include <sys/module.h>
52 #include <sys/syscall.h>
53 #include <sys/sysent.h>
54 #include <sys/sysproto.h>
59 #if defined(COMPAT_FREEBSD32)
60 #include <compat/freebsd32/freebsd32_syscall.h>
61 #include <compat/freebsd32/freebsd32_proto.h>
62 #include <compat/freebsd32/freebsd32_util.h>
65 static d_close_t filemon_close;
66 static d_ioctl_t filemon_ioctl;
67 static d_open_t filemon_open;
69 static struct cdevsw filemon_cdevsw = {
70 .d_version = D_VERSION,
71 .d_close = filemon_close,
72 .d_ioctl = filemon_ioctl,
73 .d_open = filemon_open,
77 MALLOC_DECLARE(M_FILEMON);
78 MALLOC_DEFINE(M_FILEMON, "filemon", "File access monitor");
81 * The filemon->lock protects several things currently:
82 * - fname1/fname2/msgbufr are pre-allocated and used per syscall
83 * for logging and copyins rather than stack variables.
84 * - Serializing the filemon's log output.
85 * - Preventing inheritance or removal of the filemon into proc.p_filemon.
88 struct sx lock; /* Lock for this filemon. */
89 struct file *fp; /* Output file pointer. */
90 struct ucred *cred; /* Credential of tracer. */
91 char fname1[MAXPATHLEN]; /* Temporary filename buffer. */
92 char fname2[MAXPATHLEN]; /* Temporary filename buffer. */
93 char msgbufr[1024]; /* Output message buffer. */
94 int error; /* Log write error, returned on close(2). */
95 u_int refcnt; /* Pointer reference count. */
96 u_int proccnt; /* Process count. */
99 static struct cdev *filemon_dev;
100 static void filemon_output(struct filemon *filemon, char *msg, size_t len);
102 static __inline struct filemon *
103 filemon_acquire(struct filemon *filemon)
107 refcount_acquire(&filemon->refcnt);
112 * Release a reference and free on the last one.
115 filemon_release(struct filemon *filemon)
118 if (refcount_release(&filemon->refcnt) == 0)
121 * There are valid cases of releasing while locked, such as in
122 * filemon_untrack_processes, but none which are done where there
123 * is not at least 1 reference remaining.
125 sx_assert(&filemon->lock, SA_UNLOCKED);
127 if (filemon->cred != NULL)
128 crfree(filemon->cred);
129 sx_destroy(&filemon->lock);
130 free(filemon, M_FILEMON);
134 * Acquire the proc's p_filemon reference and lock the filemon.
135 * The proc's p_filemon may not match this filemon on return.
137 static struct filemon *
138 filemon_proc_get(struct proc *p)
140 struct filemon *filemon;
142 if (p->p_filemon == NULL)
145 filemon = filemon_acquire(p->p_filemon);
151 * The p->p_filemon may have changed by now. That case is handled
152 * by the exit and fork hooks and filemon_attach_proc specially.
154 sx_xlock(&filemon->lock);
158 /* Remove and release the filemon on the given process. */
160 filemon_proc_drop(struct proc *p)
162 struct filemon *filemon;
164 KASSERT(p->p_filemon != NULL, ("%s: proc %p NULL p_filemon",
166 sx_assert(&p->p_filemon->lock, SA_XLOCKED);
168 filemon = p->p_filemon;
173 * This should not be the last reference yet. filemon_release()
174 * cannot be called with filemon locked, which the caller expects
177 KASSERT(filemon->refcnt > 1, ("%s: proc %p dropping filemon %p "
178 "with last reference", __func__, p, filemon));
179 filemon_release(filemon);
182 /* Unlock and release the filemon. */
184 filemon_drop(struct filemon *filemon)
187 sx_xunlock(&filemon->lock);
188 filemon_release(filemon);
191 #include "filemon_wrapper.c"
194 filemon_write_header(struct filemon *filemon)
201 len = snprintf(filemon->msgbufr, sizeof(filemon->msgbufr),
202 "# filemon version %d\n# Target pid %d\n# Start %ju.%06ju\nV %d\n",
203 FILEMON_VERSION, curproc->p_pid, (uintmax_t)now.tv_sec,
204 (uintmax_t)now.tv_usec, FILEMON_VERSION);
206 filemon_output(filemon, filemon->msgbufr, len);
210 * Invalidate the passed filemon in all processes.
213 filemon_untrack_processes(struct filemon *filemon)
217 sx_assert(&filemon->lock, SA_XLOCKED);
219 /* Avoid allproc loop if there is no need. */
220 if (filemon->proccnt == 0)
224 * Processes in this list won't go away while here since
225 * filemon_event_process_exit() will lock on filemon->lock
228 sx_slock(&allproc_lock);
229 FOREACH_PROC_IN_SYSTEM(p) {
231 * No PROC_LOCK is needed to compare here since it is
232 * guaranteed to not change since we have its filemon
233 * locked. Everything that changes this p_filemon will
236 if (p->p_filemon == filemon)
237 filemon_proc_drop(p);
239 sx_sunlock(&allproc_lock);
242 * It's possible some references were acquired but will be
243 * dropped shortly as they are restricted from being
244 * inherited. There is at least the reference in cdevpriv remaining.
246 KASSERT(filemon->refcnt > 0, ("%s: filemon %p should have "
247 "references still.", __func__, filemon));
248 KASSERT(filemon->proccnt == 0, ("%s: filemon %p should not have "
249 "attached procs still.", __func__, filemon));
256 filemon_close_log(struct filemon *filemon)
262 sx_assert(&filemon->lock, SA_XLOCKED);
263 if (filemon->fp == NULL)
268 len = snprintf(filemon->msgbufr,
269 sizeof(filemon->msgbufr),
270 "# Stop %ju.%06ju\n# Bye bye\n",
271 (uintmax_t)now.tv_sec, (uintmax_t)now.tv_usec);
273 filemon_output(filemon, filemon->msgbufr, len);
277 sx_xunlock(&filemon->lock);
278 fdrop(fp, curthread);
279 sx_xlock(&filemon->lock);
283 * The devfs file is being closed. Untrace all processes. It is possible
284 * filemon_close/close(2) was not called.
287 filemon_dtr(void *data)
289 struct filemon *filemon = data;
294 sx_xlock(&filemon->lock);
296 * Detach the filemon. It cannot be inherited after this.
298 filemon_untrack_processes(filemon);
299 filemon_close_log(filemon);
300 filemon_drop(filemon);
303 /* Attach the filemon to the process. */
305 filemon_attach_proc(struct filemon *filemon, struct proc *p)
307 struct filemon *filemon2;
309 sx_assert(&filemon->lock, SA_XLOCKED);
310 PROC_LOCK_ASSERT(p, MA_OWNED);
311 KASSERT((p->p_flag & P_WEXIT) == 0,
312 ("%s: filemon %p attaching to exiting process %p",
313 __func__, filemon, p));
314 KASSERT((p->p_flag & P_INEXEC) == 0,
315 ("%s: filemon %p attaching to execing process %p",
316 __func__, filemon, p));
318 if (p->p_filemon == filemon)
321 * Don't allow truncating other process traces. It is
322 * not really intended to trace procs other than curproc
325 if (p->p_filemon != NULL && p != curproc)
328 * Historic behavior of filemon has been to let a child initiate
329 * tracing on itself and cease existing tracing. Bmake
330 * .META + .MAKE relies on this. It is only relevant for attaching to
333 while (p->p_filemon != NULL) {
335 sx_xunlock(&filemon->lock);
336 while ((filemon2 = filemon_proc_get(p)) != NULL) {
337 /* It may have changed. */
338 if (p->p_filemon == filemon2)
339 filemon_proc_drop(p);
340 filemon_drop(filemon2);
342 sx_xlock(&filemon->lock);
345 * It may have been attached to, though unlikely.
346 * Try again if needed.
350 KASSERT(p->p_filemon == NULL,
351 ("%s: proc %p didn't detach filemon %p", __func__, p,
353 p->p_filemon = filemon_acquire(filemon);
360 filemon_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag __unused,
364 struct filemon *filemon;
368 if ((error = devfs_get_cdevpriv((void **) &filemon)) != 0)
371 sx_xlock(&filemon->lock);
374 /* Set the output file descriptor. */
376 if (filemon->fp != NULL) {
381 error = fget_write(td, *(int *)data,
382 cap_rights_init(&rights, CAP_PWRITE),
385 /* Write the file header. */
386 filemon_write_header(filemon);
389 /* Set the monitored process ID. */
390 case FILEMON_SET_PID:
391 /* Invalidate any existing processes already set. */
392 filemon_untrack_processes(filemon);
394 error = pget(*((pid_t *)data),
395 PGET_CANDEBUG | PGET_NOTWEXIT | PGET_NOTINEXEC, &p);
397 KASSERT(p->p_filemon != filemon,
398 ("%s: proc %p didn't untrack filemon %p",
399 __func__, p, filemon));
400 error = filemon_attach_proc(filemon, p);
410 sx_xunlock(&filemon->lock);
415 filemon_open(struct cdev *dev, int oflags __unused, int devtype __unused,
419 struct filemon *filemon;
421 filemon = malloc(sizeof(*filemon), M_FILEMON,
423 sx_init(&filemon->lock, "filemon");
424 refcount_init(&filemon->refcnt, 1);
425 filemon->cred = crhold(td->td_ucred);
427 error = devfs_set_cdevpriv(filemon, filemon_dtr);
429 filemon_release(filemon);
434 /* Called on close of last devfs file handle, before filemon_dtr(). */
436 filemon_close(struct cdev *dev __unused, int flag __unused, int fmt __unused,
437 struct thread *td __unused)
439 struct filemon *filemon;
442 if ((error = devfs_get_cdevpriv((void **) &filemon)) != 0)
445 sx_xlock(&filemon->lock);
446 filemon_close_log(filemon);
447 error = filemon->error;
448 sx_xunlock(&filemon->lock);
450 * Processes are still being traced but won't log anything
451 * now. After this call returns filemon_dtr() is called which
452 * will detach processes.
459 filemon_load(void *dummy __unused)
462 /* Install the syscall wrappers. */
463 filemon_wrapper_install();
465 filemon_dev = make_dev(&filemon_cdevsw, 0, UID_ROOT, GID_WHEEL, 0666,
473 destroy_dev(filemon_dev);
474 filemon_wrapper_deinstall();
480 filemon_modevent(module_t mod __unused, int type, void *data)
490 error = filemon_unload();
495 * The wrapper implementation is unsafe for reliable unload.
496 * Require forcing an unload.
513 DEV_MODULE(filemon, filemon_modevent, NULL);
514 MODULE_VERSION(filemon, 1);