2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4 * Copyright (c) 2011, David E. O'Brien.
5 * Copyright (c) 2009-2011, Juniper Networks, Inc.
6 * Copyright (c) 2015-2016, EMC Corp.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
18 * THIS SOFTWARE IS PROVIDED BY JUNIPER NETWORKS AND CONTRIBUTORS ``AS IS'' AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL JUNIPER NETWORKS OR CONTRIBUTORS BE LIABLE
22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 #include <sys/cdefs.h>
32 __FBSDID("$FreeBSD$");
34 #include <sys/eventhandler.h>
35 #include <sys/filedesc.h>
36 #include <sys/imgact.h>
39 #include <sys/sysent.h>
40 #include <sys/vnode.h>
42 #include "opt_compat.h"
44 static eventhandler_tag filemon_exec_tag;
45 static eventhandler_tag filemon_exit_tag;
46 static eventhandler_tag filemon_fork_tag;
49 filemon_output(struct filemon *filemon, char *msg, size_t len)
55 if (filemon->fp == NULL)
63 auio.uio_segflg = UIO_SYSSPACE;
64 auio.uio_rw = UIO_WRITE;
65 auio.uio_td = curthread;
66 auio.uio_offset = (off_t) -1;
68 if (filemon->fp->f_type == DTYPE_VNODE)
71 error = fo_write(filemon->fp, &auio, filemon->cred, 0, curthread);
72 if (error != 0 && filemon->error == 0)
73 filemon->error = error;
77 filemon_wrapper_chdir(struct thread *td, struct chdir_args *uap)
81 struct filemon *filemon;
83 if ((ret = sys_chdir(td, uap)) == 0) {
84 if ((filemon = filemon_proc_get(curproc)) != NULL) {
85 if ((error = copyinstr(uap->path, filemon->fname1,
86 sizeof(filemon->fname1), NULL)) != 0) {
87 filemon->error = error;
91 len = snprintf(filemon->msgbufr,
92 sizeof(filemon->msgbufr), "C %d %s\n",
93 curproc->p_pid, filemon->fname1);
95 filemon_output(filemon, filemon->msgbufr, len);
97 filemon_drop(filemon);
105 filemon_event_process_exec(void *arg __unused, struct proc *p,
106 struct image_params *imgp)
108 struct filemon *filemon;
111 if ((filemon = filemon_proc_get(p)) != NULL) {
112 len = snprintf(filemon->msgbufr,
113 sizeof(filemon->msgbufr), "E %d %s\n",
115 imgp->execpath != NULL ? imgp->execpath : "<unknown>");
117 filemon_output(filemon, filemon->msgbufr, len);
119 /* If the credentials changed then cease tracing. */
120 if (imgp->newcred != NULL &&
121 imgp->credential_setid &&
122 priv_check_cred(filemon->cred,
123 PRIV_DEBUG_DIFFCRED, 0) != 0) {
125 * It may have changed to NULL already, but
126 * will not be re-attached by anything else.
128 if (p->p_filemon != NULL) {
129 KASSERT(p->p_filemon == filemon,
130 ("%s: proc %p didn't have expected"
131 " filemon %p", __func__, p, filemon));
132 filemon_proc_drop(p);
137 filemon_drop(filemon);
142 _filemon_wrapper_openat(struct thread *td, char *upath, int flags, int fd)
147 struct filemon *filemon;
148 char *atpath, *freepath;
151 if ((filemon = filemon_proc_get(curproc)) != NULL) {
156 if ((error = copyinstr(upath, filemon->fname1,
157 sizeof(filemon->fname1), NULL)) != 0) {
158 filemon->error = error;
162 if (filemon->fname1[0] != '/' && fd != AT_FDCWD) {
164 * rats - we cannot do too much about this.
165 * the trace should show a dir we read
166 * recently.. output an A record as a clue
167 * until we can do better.
168 * XXX: This may be able to come out with
169 * the namecache lookup now.
171 len = snprintf(filemon->msgbufr,
172 sizeof(filemon->msgbufr), "A %d %s\n",
173 curproc->p_pid, filemon->fname1);
174 filemon_output(filemon, filemon->msgbufr, len);
176 * Try to resolve the path from the vnode using the
177 * namecache. It may be inaccurate, but better
181 cap_rights_init(&rights, CAP_LOOKUP), &fp) == 0) {
182 vn_fullpath(td, fp->f_vnode, &atpath,
186 if (flags & O_RDWR) {
188 * We'll get the W record below, but need
189 * to also output an R to distinguish from
192 len = snprintf(filemon->msgbufr,
193 sizeof(filemon->msgbufr), "R %d %s%s%s\n",
194 curproc->p_pid, atpath,
195 atpath[0] != '\0' ? "/" : "", filemon->fname1);
196 filemon_output(filemon, filemon->msgbufr, len);
199 len = snprintf(filemon->msgbufr,
200 sizeof(filemon->msgbufr), "%c %d %s%s%s\n",
201 (flags & O_ACCMODE) ? 'W':'R',
202 curproc->p_pid, atpath,
203 atpath[0] != '\0' ? "/" : "", filemon->fname1);
204 filemon_output(filemon, filemon->msgbufr, len);
206 filemon_drop(filemon);
209 free(freepath, M_TEMP);
214 filemon_wrapper_open(struct thread *td, struct open_args *uap)
218 if ((ret = sys_open(td, uap)) == 0)
219 _filemon_wrapper_openat(td, uap->path, uap->flags, AT_FDCWD);
225 filemon_wrapper_openat(struct thread *td, struct openat_args *uap)
229 if ((ret = sys_openat(td, uap)) == 0)
230 _filemon_wrapper_openat(td, uap->path, uap->flag, uap->fd);
236 filemon_wrapper_rename(struct thread *td, struct rename_args *uap)
240 struct filemon *filemon;
242 if ((ret = sys_rename(td, uap)) == 0) {
243 if ((filemon = filemon_proc_get(curproc)) != NULL) {
244 if (((error = copyinstr(uap->from, filemon->fname1,
245 sizeof(filemon->fname1), NULL)) != 0) ||
246 ((error = copyinstr(uap->to, filemon->fname2,
247 sizeof(filemon->fname2), NULL)) != 0)) {
248 filemon->error = error;
252 len = snprintf(filemon->msgbufr,
253 sizeof(filemon->msgbufr), "M %d '%s' '%s'\n",
254 curproc->p_pid, filemon->fname1, filemon->fname2);
256 filemon_output(filemon, filemon->msgbufr, len);
258 filemon_drop(filemon);
266 _filemon_wrapper_link(struct thread *td, char *upath1, char *upath2)
268 struct filemon *filemon;
272 if ((filemon = filemon_proc_get(curproc)) != NULL) {
273 if (((error = copyinstr(upath1, filemon->fname1,
274 sizeof(filemon->fname1), NULL)) != 0) ||
275 ((error = copyinstr(upath2, filemon->fname2,
276 sizeof(filemon->fname2), NULL)) != 0)) {
277 filemon->error = error;
281 len = snprintf(filemon->msgbufr,
282 sizeof(filemon->msgbufr), "L %d '%s' '%s'\n",
283 curproc->p_pid, filemon->fname1, filemon->fname2);
285 filemon_output(filemon, filemon->msgbufr, len);
287 filemon_drop(filemon);
292 filemon_wrapper_link(struct thread *td, struct link_args *uap)
296 if ((ret = sys_link(td, uap)) == 0)
297 _filemon_wrapper_link(td, uap->path, uap->link);
303 filemon_wrapper_symlink(struct thread *td, struct symlink_args *uap)
307 if ((ret = sys_symlink(td, uap)) == 0)
308 _filemon_wrapper_link(td, uap->path, uap->link);
314 filemon_wrapper_linkat(struct thread *td, struct linkat_args *uap)
318 if ((ret = sys_linkat(td, uap)) == 0)
319 _filemon_wrapper_link(td, uap->path1, uap->path2);
325 filemon_event_process_exit(void *arg __unused, struct proc *p)
328 struct filemon *filemon;
330 if ((filemon = filemon_proc_get(p)) != NULL) {
331 len = snprintf(filemon->msgbufr, sizeof(filemon->msgbufr),
332 "X %d %d %d\n", p->p_pid, p->p_xexit, p->p_xsig);
334 filemon_output(filemon, filemon->msgbufr, len);
337 * filemon_untrack_processes() may have dropped this p_filemon
338 * already while in filemon_proc_get() before acquiring the
341 KASSERT(p->p_filemon == NULL || p->p_filemon == filemon,
342 ("%s: p %p was attached while exiting, expected "
343 "filemon %p or NULL", __func__, p, filemon));
344 if (p->p_filemon == filemon)
345 filemon_proc_drop(p);
347 filemon_drop(filemon);
352 filemon_wrapper_unlink(struct thread *td, struct unlink_args *uap)
356 struct filemon *filemon;
358 if ((ret = sys_unlink(td, uap)) == 0) {
359 if ((filemon = filemon_proc_get(curproc)) != NULL) {
360 if ((error = copyinstr(uap->path, filemon->fname1,
361 sizeof(filemon->fname1), NULL)) != 0) {
362 filemon->error = error;
366 len = snprintf(filemon->msgbufr,
367 sizeof(filemon->msgbufr), "D %d %s\n",
368 curproc->p_pid, filemon->fname1);
370 filemon_output(filemon, filemon->msgbufr, len);
372 filemon_drop(filemon);
380 filemon_event_process_fork(void *arg __unused, struct proc *p1,
381 struct proc *p2, int flags __unused)
384 struct filemon *filemon;
386 if ((filemon = filemon_proc_get(p1)) != NULL) {
387 len = snprintf(filemon->msgbufr,
388 sizeof(filemon->msgbufr), "F %d %d\n",
389 p1->p_pid, p2->p_pid);
391 filemon_output(filemon, filemon->msgbufr, len);
394 * filemon_untrack_processes() or
395 * filemon_ioctl(FILEMON_SET_PID) may have changed the parent's
396 * p_filemon while in filemon_proc_get() before acquiring the
397 * filemon lock. Only inherit if the parent is still traced by
400 if (p1->p_filemon == filemon) {
403 * It may have been attached to already by a new
406 if (p2->p_filemon == NULL) {
407 p2->p_filemon = filemon_acquire(filemon);
413 filemon_drop(filemon);
418 filemon_wrapper_install(void)
421 sysent[SYS_chdir].sy_call = (sy_call_t *) filemon_wrapper_chdir;
422 sysent[SYS_open].sy_call = (sy_call_t *) filemon_wrapper_open;
423 sysent[SYS_openat].sy_call = (sy_call_t *) filemon_wrapper_openat;
424 sysent[SYS_rename].sy_call = (sy_call_t *) filemon_wrapper_rename;
425 sysent[SYS_unlink].sy_call = (sy_call_t *) filemon_wrapper_unlink;
426 sysent[SYS_link].sy_call = (sy_call_t *) filemon_wrapper_link;
427 sysent[SYS_symlink].sy_call = (sy_call_t *) filemon_wrapper_symlink;
428 sysent[SYS_linkat].sy_call = (sy_call_t *) filemon_wrapper_linkat;
430 #if defined(COMPAT_FREEBSD32)
431 freebsd32_sysent[FREEBSD32_SYS_chdir].sy_call = (sy_call_t *) filemon_wrapper_chdir;
432 freebsd32_sysent[FREEBSD32_SYS_open].sy_call = (sy_call_t *) filemon_wrapper_open;
433 freebsd32_sysent[FREEBSD32_SYS_openat].sy_call = (sy_call_t *) filemon_wrapper_openat;
434 freebsd32_sysent[FREEBSD32_SYS_rename].sy_call = (sy_call_t *) filemon_wrapper_rename;
435 freebsd32_sysent[FREEBSD32_SYS_unlink].sy_call = (sy_call_t *) filemon_wrapper_unlink;
436 freebsd32_sysent[FREEBSD32_SYS_link].sy_call = (sy_call_t *) filemon_wrapper_link;
437 freebsd32_sysent[FREEBSD32_SYS_symlink].sy_call = (sy_call_t *) filemon_wrapper_symlink;
438 freebsd32_sysent[FREEBSD32_SYS_linkat].sy_call = (sy_call_t *) filemon_wrapper_linkat;
439 #endif /* COMPAT_FREEBSD32 */
441 filemon_exec_tag = EVENTHANDLER_REGISTER(process_exec,
442 filemon_event_process_exec, NULL, EVENTHANDLER_PRI_LAST);
443 filemon_exit_tag = EVENTHANDLER_REGISTER(process_exit,
444 filemon_event_process_exit, NULL, EVENTHANDLER_PRI_LAST);
445 filemon_fork_tag = EVENTHANDLER_REGISTER(process_fork,
446 filemon_event_process_fork, NULL, EVENTHANDLER_PRI_LAST);
450 filemon_wrapper_deinstall(void)
453 sysent[SYS_chdir].sy_call = (sy_call_t *)sys_chdir;
454 sysent[SYS_open].sy_call = (sy_call_t *)sys_open;
455 sysent[SYS_openat].sy_call = (sy_call_t *)sys_openat;
456 sysent[SYS_rename].sy_call = (sy_call_t *)sys_rename;
457 sysent[SYS_unlink].sy_call = (sy_call_t *)sys_unlink;
458 sysent[SYS_link].sy_call = (sy_call_t *)sys_link;
459 sysent[SYS_symlink].sy_call = (sy_call_t *)sys_symlink;
460 sysent[SYS_linkat].sy_call = (sy_call_t *)sys_linkat;
462 #if defined(COMPAT_FREEBSD32)
463 freebsd32_sysent[FREEBSD32_SYS_chdir].sy_call = (sy_call_t *)sys_chdir;
464 freebsd32_sysent[FREEBSD32_SYS_open].sy_call = (sy_call_t *)sys_open;
465 freebsd32_sysent[FREEBSD32_SYS_openat].sy_call = (sy_call_t *)sys_openat;
466 freebsd32_sysent[FREEBSD32_SYS_rename].sy_call = (sy_call_t *)sys_rename;
467 freebsd32_sysent[FREEBSD32_SYS_unlink].sy_call = (sy_call_t *)sys_unlink;
468 freebsd32_sysent[FREEBSD32_SYS_link].sy_call = (sy_call_t *)sys_link;
469 freebsd32_sysent[FREEBSD32_SYS_symlink].sy_call = (sy_call_t *)sys_symlink;
470 freebsd32_sysent[FREEBSD32_SYS_linkat].sy_call = (sy_call_t *)sys_linkat;
471 #endif /* COMPAT_FREEBSD32 */
473 EVENTHANDLER_DEREGISTER(process_exec, filemon_exec_tag);
474 EVENTHANDLER_DEREGISTER(process_exit, filemon_exit_tag);
475 EVENTHANDLER_DEREGISTER(process_fork, filemon_fork_tag);