2 * Copyright (c) 2011, David E. O'Brien.
3 * Copyright (c) 2009-2011, Juniper Networks, Inc.
4 * Copyright (c) 2015-2016, EMC Corp.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * THIS SOFTWARE IS PROVIDED BY JUNIPER NETWORKS AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL JUNIPER NETWORKS OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 #include <sys/cdefs.h>
30 __FBSDID("$FreeBSD$");
32 #include <sys/eventhandler.h>
33 #include <sys/filedesc.h>
34 #include <sys/imgact.h>
37 #include <sys/sysent.h>
38 #include <sys/vnode.h>
40 #include <machine/stdarg.h>
42 #include "opt_compat.h"
44 static void filemon_output_event(struct filemon *filemon, const char *fmt, ...)
47 static eventhandler_tag filemon_exec_tag;
48 static eventhandler_tag filemon_exit_tag;
49 static eventhandler_tag filemon_fork_tag;
52 filemon_output(struct filemon *filemon, char *msg, size_t len)
58 if (filemon->fp == NULL)
66 auio.uio_segflg = UIO_SYSSPACE;
67 auio.uio_rw = UIO_WRITE;
68 auio.uio_td = curthread;
69 auio.uio_offset = (off_t) -1;
71 if (filemon->fp->f_type == DTYPE_VNODE)
74 error = fo_write(filemon->fp, &auio, filemon->cred, 0, curthread);
75 if (error != 0 && filemon->error == 0)
76 filemon->error = error;
80 filemon_output_event(struct filemon *filemon, const char *fmt, ...)
86 len = vsnprintf(filemon->msgbufr, sizeof(filemon->msgbufr), fmt, ap);
88 /* The event is truncated but still worth logging. */
89 if (len >= sizeof(filemon->msgbufr))
90 len = sizeof(filemon->msgbufr) - 1;
91 filemon_output(filemon, filemon->msgbufr, len);
95 filemon_wrapper_chdir(struct thread *td, struct chdir_args *uap)
98 struct filemon *filemon;
100 if ((ret = sys_chdir(td, uap)) == 0) {
101 if ((filemon = filemon_proc_get(curproc)) != NULL) {
102 if ((error = copyinstr(uap->path, filemon->fname1,
103 sizeof(filemon->fname1), NULL)) != 0) {
104 filemon->error = error;
108 filemon_output_event(filemon, "C %d %s\n",
109 curproc->p_pid, filemon->fname1);
111 filemon_drop(filemon);
119 filemon_event_process_exec(void *arg __unused, struct proc *p,
120 struct image_params *imgp)
122 struct filemon *filemon;
124 if ((filemon = filemon_proc_get(p)) != NULL) {
125 filemon_output_event(filemon, "E %d %s\n",
127 imgp->execpath != NULL ? imgp->execpath : "<unknown>");
129 /* If the credentials changed then cease tracing. */
130 if (imgp->newcred != NULL &&
131 imgp->credential_setid &&
132 priv_check_cred(filemon->cred,
133 PRIV_DEBUG_DIFFCRED, 0) != 0) {
135 * It may have changed to NULL already, but
136 * will not be re-attached by anything else.
138 if (p->p_filemon != NULL) {
139 KASSERT(p->p_filemon == filemon,
140 ("%s: proc %p didn't have expected"
141 " filemon %p", __func__, p, filemon));
142 filemon_proc_drop(p);
147 filemon_drop(filemon);
152 _filemon_wrapper_openat(struct thread *td, char *upath, int flags, int fd)
156 struct filemon *filemon;
157 char *atpath, *freepath;
160 if ((filemon = filemon_proc_get(curproc)) != NULL) {
165 if ((error = copyinstr(upath, filemon->fname1,
166 sizeof(filemon->fname1), NULL)) != 0) {
167 filemon->error = error;
171 if (filemon->fname1[0] != '/' && fd != AT_FDCWD) {
173 * rats - we cannot do too much about this.
174 * the trace should show a dir we read
175 * recently.. output an A record as a clue
176 * until we can do better.
177 * XXX: This may be able to come out with
178 * the namecache lookup now.
180 filemon_output_event(filemon, "A %d %s\n",
181 curproc->p_pid, filemon->fname1);
183 * Try to resolve the path from the vnode using the
184 * namecache. It may be inaccurate, but better
187 if (getvnode(td->td_proc->p_fd, fd,
188 cap_rights_init(&rights, CAP_LOOKUP), &fp) == 0) {
189 vn_fullpath(td, fp->f_vnode, &atpath,
193 if (flags & O_RDWR) {
195 * We'll get the W record below, but need
196 * to also output an R to distinguish from
199 filemon_output_event(filemon, "R %d %s%s%s\n",
200 curproc->p_pid, atpath,
201 atpath[0] != '\0' ? "/" : "", filemon->fname1);
204 filemon_output_event(filemon, "%c %d %s%s%s\n",
205 (flags & O_ACCMODE) ? 'W':'R',
206 curproc->p_pid, atpath,
207 atpath[0] != '\0' ? "/" : "", filemon->fname1);
209 filemon_drop(filemon);
212 free(freepath, M_TEMP);
217 filemon_wrapper_open(struct thread *td, struct open_args *uap)
221 if ((ret = sys_open(td, uap)) == 0)
222 _filemon_wrapper_openat(td, uap->path, uap->flags, AT_FDCWD);
228 filemon_wrapper_openat(struct thread *td, struct openat_args *uap)
232 if ((ret = sys_openat(td, uap)) == 0)
233 _filemon_wrapper_openat(td, uap->path, uap->flag, uap->fd);
239 filemon_wrapper_rename(struct thread *td, struct rename_args *uap)
242 struct filemon *filemon;
244 if ((ret = sys_rename(td, uap)) == 0) {
245 if ((filemon = filemon_proc_get(curproc)) != NULL) {
246 if (((error = copyinstr(uap->from, filemon->fname1,
247 sizeof(filemon->fname1), NULL)) != 0) ||
248 ((error = copyinstr(uap->to, filemon->fname2,
249 sizeof(filemon->fname2), NULL)) != 0)) {
250 filemon->error = error;
254 filemon_output_event(filemon, "M %d '%s' '%s'\n",
255 curproc->p_pid, filemon->fname1, filemon->fname2);
257 filemon_drop(filemon);
265 _filemon_wrapper_link(struct thread *td, char *upath1, char *upath2)
267 struct filemon *filemon;
270 if ((filemon = filemon_proc_get(curproc)) != NULL) {
271 if (((error = copyinstr(upath1, filemon->fname1,
272 sizeof(filemon->fname1), NULL)) != 0) ||
273 ((error = copyinstr(upath2, filemon->fname2,
274 sizeof(filemon->fname2), NULL)) != 0)) {
275 filemon->error = error;
279 filemon_output_event(filemon, "L %d '%s' '%s'\n",
280 curproc->p_pid, filemon->fname1, filemon->fname2);
282 filemon_drop(filemon);
287 filemon_wrapper_link(struct thread *td, struct link_args *uap)
291 if ((ret = sys_link(td, uap)) == 0)
292 _filemon_wrapper_link(td, uap->path, uap->link);
298 filemon_wrapper_symlink(struct thread *td, struct symlink_args *uap)
302 if ((ret = sys_symlink(td, uap)) == 0)
303 _filemon_wrapper_link(td, uap->path, uap->link);
309 filemon_wrapper_linkat(struct thread *td, struct linkat_args *uap)
313 if ((ret = sys_linkat(td, uap)) == 0)
314 _filemon_wrapper_link(td, uap->path1, uap->path2);
320 filemon_event_process_exit(void *arg __unused, struct proc *p)
322 struct filemon *filemon;
324 if ((filemon = filemon_proc_get(p)) != NULL) {
325 filemon_output_event(filemon, "X %d %d\n",
326 p->p_pid, W_EXITCODE(p->p_xstat, 0));
329 * filemon_untrack_processes() may have dropped this p_filemon
330 * already while in filemon_proc_get() before acquiring the
333 KASSERT(p->p_filemon == NULL || p->p_filemon == filemon,
334 ("%s: p %p was attached while exiting, expected "
335 "filemon %p or NULL", __func__, p, filemon));
336 if (p->p_filemon == filemon)
337 filemon_proc_drop(p);
339 filemon_drop(filemon);
344 filemon_wrapper_unlink(struct thread *td, struct unlink_args *uap)
347 struct filemon *filemon;
349 if ((ret = sys_unlink(td, uap)) == 0) {
350 if ((filemon = filemon_proc_get(curproc)) != NULL) {
351 if ((error = copyinstr(uap->path, filemon->fname1,
352 sizeof(filemon->fname1), NULL)) != 0) {
353 filemon->error = error;
357 filemon_output_event(filemon, "D %d %s\n",
358 curproc->p_pid, filemon->fname1);
360 filemon_drop(filemon);
368 filemon_event_process_fork(void *arg __unused, struct proc *p1,
369 struct proc *p2, int flags __unused)
371 struct filemon *filemon;
373 if ((filemon = filemon_proc_get(p1)) != NULL) {
374 filemon_output_event(filemon, "F %d %d\n",
375 p1->p_pid, p2->p_pid);
378 * filemon_untrack_processes() or
379 * filemon_ioctl(FILEMON_SET_PID) may have changed the parent's
380 * p_filemon while in filemon_proc_get() before acquiring the
381 * filemon lock. Only inherit if the parent is still traced by
384 if (p1->p_filemon == filemon) {
387 * It may have been attached to already by a new
390 if (p2->p_filemon == NULL) {
391 p2->p_filemon = filemon_acquire(filemon);
397 filemon_drop(filemon);
402 filemon_wrapper_install(void)
405 sysent[SYS_chdir].sy_call = (sy_call_t *) filemon_wrapper_chdir;
406 sysent[SYS_open].sy_call = (sy_call_t *) filemon_wrapper_open;
407 sysent[SYS_openat].sy_call = (sy_call_t *) filemon_wrapper_openat;
408 sysent[SYS_rename].sy_call = (sy_call_t *) filemon_wrapper_rename;
409 sysent[SYS_unlink].sy_call = (sy_call_t *) filemon_wrapper_unlink;
410 sysent[SYS_link].sy_call = (sy_call_t *) filemon_wrapper_link;
411 sysent[SYS_symlink].sy_call = (sy_call_t *) filemon_wrapper_symlink;
412 sysent[SYS_linkat].sy_call = (sy_call_t *) filemon_wrapper_linkat;
414 #if defined(COMPAT_FREEBSD32)
415 freebsd32_sysent[FREEBSD32_SYS_chdir].sy_call = (sy_call_t *) filemon_wrapper_chdir;
416 freebsd32_sysent[FREEBSD32_SYS_open].sy_call = (sy_call_t *) filemon_wrapper_open;
417 freebsd32_sysent[FREEBSD32_SYS_openat].sy_call = (sy_call_t *) filemon_wrapper_openat;
418 freebsd32_sysent[FREEBSD32_SYS_rename].sy_call = (sy_call_t *) filemon_wrapper_rename;
419 freebsd32_sysent[FREEBSD32_SYS_unlink].sy_call = (sy_call_t *) filemon_wrapper_unlink;
420 freebsd32_sysent[FREEBSD32_SYS_link].sy_call = (sy_call_t *) filemon_wrapper_link;
421 freebsd32_sysent[FREEBSD32_SYS_symlink].sy_call = (sy_call_t *) filemon_wrapper_symlink;
422 freebsd32_sysent[FREEBSD32_SYS_linkat].sy_call = (sy_call_t *) filemon_wrapper_linkat;
423 #endif /* COMPAT_FREEBSD32 */
425 filemon_exec_tag = EVENTHANDLER_REGISTER(process_exec,
426 filemon_event_process_exec, NULL, EVENTHANDLER_PRI_LAST);
427 filemon_exit_tag = EVENTHANDLER_REGISTER(process_exit,
428 filemon_event_process_exit, NULL, EVENTHANDLER_PRI_LAST);
429 filemon_fork_tag = EVENTHANDLER_REGISTER(process_fork,
430 filemon_event_process_fork, NULL, EVENTHANDLER_PRI_LAST);
434 filemon_wrapper_deinstall(void)
437 sysent[SYS_chdir].sy_call = (sy_call_t *)sys_chdir;
438 sysent[SYS_open].sy_call = (sy_call_t *)sys_open;
439 sysent[SYS_openat].sy_call = (sy_call_t *)sys_openat;
440 sysent[SYS_rename].sy_call = (sy_call_t *)sys_rename;
441 sysent[SYS_unlink].sy_call = (sy_call_t *)sys_unlink;
442 sysent[SYS_link].sy_call = (sy_call_t *)sys_link;
443 sysent[SYS_symlink].sy_call = (sy_call_t *)sys_symlink;
444 sysent[SYS_linkat].sy_call = (sy_call_t *)sys_linkat;
446 #if defined(COMPAT_FREEBSD32)
447 freebsd32_sysent[FREEBSD32_SYS_chdir].sy_call = (sy_call_t *)sys_chdir;
448 freebsd32_sysent[FREEBSD32_SYS_open].sy_call = (sy_call_t *)sys_open;
449 freebsd32_sysent[FREEBSD32_SYS_openat].sy_call = (sy_call_t *)sys_openat;
450 freebsd32_sysent[FREEBSD32_SYS_rename].sy_call = (sy_call_t *)sys_rename;
451 freebsd32_sysent[FREEBSD32_SYS_unlink].sy_call = (sy_call_t *)sys_unlink;
452 freebsd32_sysent[FREEBSD32_SYS_link].sy_call = (sy_call_t *)sys_link;
453 freebsd32_sysent[FREEBSD32_SYS_symlink].sy_call = (sy_call_t *)sys_symlink;
454 freebsd32_sysent[FREEBSD32_SYS_linkat].sy_call = (sy_call_t *)sys_linkat;
455 #endif /* COMPAT_FREEBSD32 */
457 EVENTHANDLER_DEREGISTER(process_exec, filemon_exec_tag);
458 EVENTHANDLER_DEREGISTER(process_exit, filemon_exit_tag);
459 EVENTHANDLER_DEREGISTER(process_fork, filemon_fork_tag);
projects / FreeBSD / stable / 10.git / blob