1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23 *
24 * write binary audit records directly to a file.
25 */
26
27 #define DEBUG 0
28
29 #if DEBUG
30 #define DPRINT(x) { (void) fprintf x; }
31 #else
32 #define DPRINT(x)
33 #endif
34
35 /*
36 * auditd_plugin_open(), auditd_plugin() and auditd_plugin_close()
37 * implement a replacable library for use by auditd; they are a
38 * project private interface and may change without notice.
39 *
40 */
41
42 #include <assert.h>
43 #include <bsm/audit.h>
44 #include <bsm/audit_record.h>
45 #include <bsm/libbsm.h>
46 #include <errno.h>
47 #include <fcntl.h>
48 #include <libintl.h>
49 #include <netdb.h>
50 #include <pthread.h>
51 #include <secdb.h>
52 #include <signal.h>
53 #include <stdio.h>
54 #include <stdlib.h>
55 #include <string.h>
56 #include <sys/param.h>
57 #include <sys/types.h>
58 #include <time.h>
59 #include <tzfile.h>
60 #include <unistd.h>
61 #include <sys/vfs.h>
62 #include <limits.h>
63 #include <syslog.h>
64 #include <security/auditd.h>
65 #include <audit_plugin.h>
66
67 #define AUDIT_DATE_SZ 14
68 #define AUDIT_FNAME_SZ 2 * AUDIT_DATE_SZ + 2 + MAXHOSTNAMELEN
69
70 /* per-directory status */
71 #define SOFT_SPACE 0 /* minfree or less space available */
72 #define PLENTY_SPACE 1 /* more than minfree available */
73 #define SPACE_FULL 2 /* out of space */
74
75 #define AVAIL_MIN 50 /* If there are less that this number */
76 /* of blocks avail, the filesystem is */
77 /* presumed full. */
78
79 #define ALLHARD_DELAY 20 /* Call audit_warn(allhard) every 20 seconds */
80
81 /* minimum reasonable size in bytes to roll over an audit file */
82 #define FSIZE_MIN 512000
83
84 /*
85 * The directory list is a circular linked list. It is pointed into by
86 * activeDir. Each element contains the pointer to the next
87 * element, the directory pathname, a flag for how much space there is
88 * in the directory's filesystem, and a file handle. Since a new
89 * directory list can be created from auditd_plugin_open() while the
90 * current list is in use, activeDir is protected by log_mutex.
91 */
92 typedef struct dirlist_s dirlist_t;
93 struct dirlist_s {
94 dirlist_t *dl_next;
95 int dl_space;
96 int dl_flags;
97 char *dl_dirname;
98 char *dl_filename; /* file name (not path) if open */
99 int dl_fd; /* file handle, -1 unless open */
100 };
101 /*
102 * Defines for dl_flags
103 */
104 #define SOFT_WARNED 0x0001 /* already did soft warning for this dir */
105 #define HARD_WARNED 0x0002 /* already did hard warning for this dir */
106
107 #if DEBUG
108 static FILE *dbfp; /* debug file */
109 #endif
110
111 static pthread_mutex_t log_mutex;
112 static int binfile_is_open = 0;
113
114 static int minfree = -1;
115 static int minfreeblocks; /* minfree in blocks */
116
117 static dirlist_t *lastOpenDir = NULL; /* last activeDir */
118 static dirlist_t *activeDir = NULL; /* to be current directory */
119 static dirlist_t *startdir; /* first dir in the ring */
120 static int activeCount = 0; /* number of dirs in the ring */
121
122 static int openNewFile = 0; /* need to open a new file */
123 static int hung_count = 0; /* count of audit_warn hard */
124
125 /* flag from audit_plugin_open to audit_plugin_close */
126 static int am_open = 0;
127 /* preferred dir state */
128 static int fullness_state = PLENTY_SPACE;
129
130 /*
131 * These are used to implement a maximum size for the auditing
132 * file. binfile_maxsize is set via the 'p_fsize' parameter to the
133 * audit_binfile plugin.
134 */
135 static uint_t binfile_cursize = 0;
136 static uint_t binfile_maxsize = 0;
137
138 static int open_log(dirlist_t *);
139
140 static void
141 freedirlist(dirlist_t *head)
142 {
143 dirlist_t *n1, *n2;
144 /*
145 * Free up the old directory list if any
146 */
147 if (head != NULL) {
148 n1 = head;
149 do {
150 n2 = n1->dl_next;
151 free(n1->dl_dirname);
152 free(n1->dl_filename);
153 free(n1);
154 n1 = n2;
155 } while (n1 != head);
156 }
157 }
158
159 dirlist_t *
160 dupdirnode(dirlist_t *node_orig)
161 {
162 dirlist_t *node_new;
163
164 if ((node_new = calloc(1, sizeof (dirlist_t))) == NULL) {
165 return (NULL);
166 }
167
168 if (node_orig->dl_dirname != NULL &&
169 (node_new->dl_dirname = strdup(node_orig->dl_dirname)) == NULL ||
170 node_orig->dl_filename != NULL &&
171 (node_new->dl_filename = strdup(node_orig->dl_filename)) == NULL) {
172 freedirlist(node_new);
173 return (NULL);
174 }
175
176 node_new->dl_next = node_new;
177 node_new->dl_space = node_orig->dl_space;
178 node_new->dl_flags = node_orig->dl_flags;
179 node_new->dl_fd = node_orig->dl_fd;
180
181 return (node_new);
182 }
183
184 /*
185 * add to a linked list of directories available for writing
186 *
187 */
188 static int
189 growauditlist(dirlist_t **listhead, char *dirlist,
190 dirlist_t *endnode, int *count)
191 {
192 dirlist_t *node;
193 char *bs, *be;
194 dirlist_t **node_p;
195 char *dirname;
196 char *remainder;
197
198 DPRINT((dbfp, "binfile: dirlist=%s\n", dirlist));
199
200 if (*listhead == NULL)
201 node_p = listhead;
202 else
203 node_p = &(endnode->dl_next);
204
205 node = NULL;
206 while ((dirname = strtok_r(dirlist, ",", &remainder)) != NULL) {
207 dirlist = NULL;
208
209 DPRINT((dbfp, "binfile: p_dir = %s\n", dirname));
210
211 (*count)++;
212 node = malloc(sizeof (dirlist_t));
213 if (node == NULL)
214 return (AUDITD_NO_MEMORY);
215
216 node->dl_flags = 0;
217 node->dl_filename = NULL;
218 node->dl_fd = -1;
219 node->dl_space = PLENTY_SPACE;
220
221 node->dl_dirname = malloc((unsigned)strlen(dirname) + 1);
222 if (node->dl_dirname == NULL)
223 return (AUDITD_NO_MEMORY);
224
225 bs = dirname;
226 while ((*bs == ' ') || (*bs == '\t')) /* trim blanks */
227 bs++;
228 be = bs + strlen(bs) - 1;
229 while (be > bs) { /* trim trailing blanks */
230 if ((*bs != ' ') && (*bs != '\t'))
231 break;
232 be--;
233 }
234 *(be + 1) = '\0';
235 (void) strlcpy(node->dl_dirname, bs, AUDIT_FNAME_SZ);
236
237 if (*listhead != NULL)
238 node->dl_next = *listhead;
239 else
240 node->dl_next = node;
241 *node_p = node;
242 node_p = &(node->dl_next);
243
244 }
245 return (0);
246 }
247
248 /*
249 * create a linked list of directories available for writing
250 *
251 * if a list already exists, the two are compared and the new one is
252 * used only if it is different than the old.
253 *
254 * returns -2 for new or changed list, 0 for unchanged list and -1 for
255 * error. (Positive returns are for AUDITD_<error code> values)
256 *
257 */
258 static int
259 loadauditlist(char *dirstr, char *minfreestr)
260 {
261 dirlist_t *n1, *n2;
262 dirlist_t *listhead = NULL;
263 dirlist_t *thisdir;
264 int node_count = 0;
265 int rc;
266 int temp_minfree;
267
268 static dirlist_t *activeList = NULL; /* directory list */
269
270 DPRINT((dbfp, "binfile: Loading audit list from audit service "
271 "(audit_binfile)\n"));
272
273 if (dirstr == NULL || minfreestr == NULL) {
274 DPRINT((dbfp, "binfile: internal error"));
275 return (-1);
276 }
277 if ((rc = growauditlist(&listhead, dirstr, NULL, &node_count)) != 0) {
278 return (rc);
279 }
280 if (node_count == 0) {
281 /*
282 * there was a problem getting the directory
283 * list or remote host info from the audit_binfile
284 * configuration even though auditd thought there was
285 * at least 1 good entry
286 */
287 DPRINT((dbfp, "binfile: "
288 "problem getting directory / libpath list "
289 "from audit_binfile configuration.\n"));
290 return (-1);
291 }
292
293 #if DEBUG
294 /* print out directory list */
295 if (listhead != NULL) {
296 (void) fprintf(dbfp, "Directory list:\n\t%s\n",
297 listhead->dl_dirname);
298 thisdir = listhead->dl_next;
299
300 while (thisdir != listhead) {
301 (void) fprintf(dbfp, "\t%s\n", thisdir->dl_dirname);
302 thisdir = thisdir->dl_next;
303 }
304 }
305 #endif /* DEBUG */
306
307 thisdir = listhead;
308
309 /* See if the list has changed (rc = 0 if no change, else 1) */
310 rc = 0;
311 if (node_count == activeCount) {
312 n1 = listhead;
313 n2 = activeList;
314 do {
315 if (strcmp(n1->dl_dirname, n2->dl_dirname) != 0) {
316 DPRINT((dbfp,
317 "binfile: new dirname = %s\n"
318 "binfile: old dirname = %s\n",
319 n1->dl_dirname,
320 n2->dl_dirname));
321 rc = -2;
322 break;
323 }
324 n1 = n1->dl_next;
325 n2 = n2->dl_next;
326 } while ((n1 != listhead) && (n2 != activeList));
327 } else {
328 DPRINT((dbfp, "binfile: dir counts differs\n"
329 "binfile: old dir count = %d\n"
330 "binfile: new dir count = %d\n",
331 activeCount, node_count));
332 rc = -2;
333 }
334 if (rc == -2) {
335 (void) pthread_mutex_lock(&log_mutex);
336 DPRINT((dbfp, "loadauditlist: close / open audit.log(4)\n"));
337 if (open_log(listhead) == 0) {
338 openNewFile = 1; /* try again later */
339 } else {
340 openNewFile = 0;
341 }
342 freedirlist(activeList); /* old list */
343 activeList = listhead; /* new list */
344 activeDir = startdir = thisdir;
345 activeCount = node_count;
346 (void) pthread_mutex_unlock(&log_mutex);
347 } else {
348 freedirlist(listhead);
349 }
350
351 /* Get the minfree value. */
352 temp_minfree = atoi(minfreestr);
353
354 if ((temp_minfree < 0) || (temp_minfree > 100))
355 temp_minfree = 0;
356
357 if (minfree != temp_minfree) {
358 DPRINT((dbfp, "minfree: old = %d, new = %d\n",
359 minfree, temp_minfree));
360 rc = -2; /* data change */
361 minfree = temp_minfree;
362 }
363
364 return (rc);
365 }
366
367 /*
368 * getauditdate - get the current time (GMT) and put it in the form
369 * yyyymmddHHMMSS .
370 */
371 static void
372 getauditdate(char *date)
373 {
374 struct timeval tp;
375 struct timezone tzp;
376 struct tm tm;
377
378 (void) gettimeofday(&tp, &tzp);
379 tm = *gmtime(&tp.tv_sec);
380 /*
381 * NOTE: if we want to use gmtime, we have to be aware that the
382 * structure only keeps the year as an offset from TM_YEAR_BASE.
383 * I have used TM_YEAR_BASE in this code so that if they change
384 * this base from 1900 to 2000, it will hopefully mean that this
385 * code does not have to change. TM_YEAR_BASE is defined in
386 * tzfile.h .
387 */
388 (void) sprintf(date, "%.4d%.2d%.2d%.2d%.2d%.2d",
389 tm.tm_year + TM_YEAR_BASE, tm.tm_mon + 1, tm.tm_mday,
390 tm.tm_hour, tm.tm_min, tm.tm_sec);
391 }
392
393
394
395 /*
396 * write_file_token - put the file token into the audit log
397 */
398 static int
399 write_file_token(int fd, char *name)
400 {
401 adr_t adr; /* xdr ptr */
402 struct timeval tv; /* time now */
403 char for_adr[AUDIT_FNAME_SZ + AUDIT_FNAME_SZ]; /* plenty of room */
404 char token_id;
405 short i;
406
407 (void) gettimeofday(&tv, (struct timezone *)0);
408 i = strlen(name) + 1;
409 adr_start(&adr, for_adr);
410 #ifdef _LP64
411 token_id = AUT_OTHER_FILE64;
412 adr_char(&adr, &token_id, 1);
413 adr_int64(&adr, (int64_t *)& tv, 2);
414 #else
415 token_id = AUT_OTHER_FILE32;
416 adr_char(&adr, &token_id, 1);
417 adr_int32(&adr, (int32_t *)& tv, 2);
418 #endif
419
420 adr_short(&adr, &i, 1);
421 adr_char(&adr, name, i);
422
423 if (write(fd, for_adr, adr_count(&adr)) < 0) {
424 DPRINT((dbfp, "binfile: Bad write\n"));
425 return (errno);
426 }
427 return (0);
428 }
429
430 /*
431 * close_log - close the file if open. Also put the name of the
432 * new log file in the trailer, and rename the old file
433 * to oldname. The caller must hold log_mutext while calling
434 * close_log since any change to activeDir is a complete redo
435 * of all it points to.
436 * arguments -
437 * oldname - the new name for the file to be closed
438 * newname - the name of the new log file (for the trailer)
439 */
440 static void
441 close_log(dirlist_t **lastOpenDir_ptr, char *oname, char *newname)
442 {
443 char auditdate[AUDIT_DATE_SZ+1];
444 char *name;
445 char oldname[AUDIT_FNAME_SZ+1];
446 dirlist_t *currentdir = *lastOpenDir_ptr;
447
448 if ((currentdir == NULL) || (currentdir->dl_fd == -1))
449 return;
450 /*
451 * If oldname is blank, we were called by auditd_plugin_close()
452 * instead of by open_log, so we need to update our name.
453 */
454 (void) strlcpy(oldname, oname, AUDIT_FNAME_SZ);
455
456 if (strcmp(oldname, "") == 0) {
457 getauditdate(auditdate);
458
459 assert(currentdir->dl_filename != NULL);
460
461 (void) strlcpy(oldname, currentdir->dl_filename,
462 AUDIT_FNAME_SZ);
463
464 name = strrchr(oldname, '/') + 1;
465 (void) memcpy(name + AUDIT_DATE_SZ + 1, auditdate,
466 AUDIT_DATE_SZ);
467 }
468 /*
469 * Write the trailer record and rename and close the file.
470 * If any of the write, rename, or close fail, ignore it
471 * since there is not much else we can do and the next open()
472 * will trigger the necessary full directory logic.
473 *
474 * newname is "" if binfile is being closed down.
475 */
476 (void) write_file_token(currentdir->dl_fd, newname);
477 if (currentdir->dl_fd >= 0) {
478 (void) fsync(currentdir->dl_fd);
479 (void) close(currentdir->dl_fd);
480 }
481 currentdir->dl_fd = -1;
482 (void) rename(currentdir->dl_filename, oldname);
483
484 DPRINT((dbfp, "binfile: Log closed %s\n", oldname));
485
486 freedirlist(currentdir);
487 *lastOpenDir_ptr = NULL;
488 }
489
490
491 /*
492 * open_log - open a new file in the current directory. If a
493 * file is already open, close it.
494 *
495 * return 1 if ok, 0 if all directories are full.
496 *
497 * lastOpenDir - used to get the oldfile name (and change it),
498 * to close the oldfile.
499 *
500 * The caller must hold log_mutex while calling open_log.
501 *
502 */
503 static int
504 open_log(dirlist_t *current_dir)
505 {
506 char auditdate[AUDIT_DATE_SZ + 1];
507 char oldname[AUDIT_FNAME_SZ + 1] = "";
508 char newname[AUDIT_FNAME_SZ + 1];
509 char *name; /* pointer into oldname */
510 int opened = 0;
511 int error = 0;
512 int newfd = 0;
513
514 static char host[MAXHOSTNAMELEN + 1] = "";
515 /* previous directory with open log file */
516
517 if (host[0] == '\0')
518 (void) gethostname(host, MAXHOSTNAMELEN);
519
520 /* Get a filename which does not already exist */
521 while (!opened) {
522 getauditdate(auditdate);
523 (void) snprintf(newname, AUDIT_FNAME_SZ,
524 "%s/%s.not_terminated.%s",
525 current_dir->dl_dirname, auditdate, host);
526 newfd = open(newname,
527 O_RDWR | O_APPEND | O_CREAT | O_EXCL, 0640);
528 if (newfd < 0) {
529 switch (errno) {
530 case EEXIST:
531 DPRINT((dbfp,
532 "open_log says duplicate for %s "
533 "(will try another)\n", newname));
534 (void) sleep(1);
535 break;
536 case ENOENT: {
537 /* invalid path */
538 char *msg;
539 (void) asprintf(&msg,
540 gettext("No such p_dir: %s\n"),
541 current_dir->dl_dirname);
542 DPRINT((dbfp,
543 "open_log says about %s: %s\n",
544 newname, strerror(errno)));
545 __audit_syslog("audit_binfile.so",
546 LOG_CONS | LOG_NDELAY,
547 LOG_DAEMON, LOG_ERR, msg);
548 free(msg);
549 current_dir = current_dir->dl_next;
550 return (0);
551 }
552 default:
553 /* open failed */
554 DPRINT((dbfp,
555 "open_log says full for %s: %s\n",
556 newname, strerror(errno)));
557 current_dir->dl_space = SPACE_FULL;
558 current_dir = current_dir->dl_next;
559 return (0);
560 } /* switch */
561 } else
562 opened = 1;
563 } /* while */
564
565 /*
566 * When we get here, we have opened our new log file.
567 * Now we need to update the name of the old file to
568 * store in this file's header. lastOpenDir may point
569 * to current_dir if the list is only one entry long and
570 * there is only one list.
571 */
572 if ((lastOpenDir != NULL) && (lastOpenDir->dl_filename != NULL)) {
573 (void) strlcpy(oldname, lastOpenDir->dl_filename,
574 AUDIT_FNAME_SZ);
575 name = (char *)strrchr(oldname, '/') + 1;
576
577 (void) memcpy(name + AUDIT_DATE_SZ + 1, auditdate,
578 AUDIT_DATE_SZ);
579
580 close_log(&lastOpenDir, oldname, newname);
581 }
582 error = write_file_token(newfd, oldname);
583 if (error) {
584 /* write token failed */
585 (void) close(newfd);
586
587 current_dir->dl_space = SPACE_FULL;
588 current_dir->dl_fd = -1;
589 free(current_dir->dl_filename);
590 current_dir->dl_filename = NULL;
591 current_dir = current_dir->dl_next;
592 return (0);
593 } else {
594 if (current_dir->dl_filename != NULL) {
595 free(current_dir->dl_filename);
596 }
597 current_dir->dl_filename = strdup(newname);
598 current_dir->dl_fd = newfd;
599
600 if (lastOpenDir == NULL) {
601 freedirlist(lastOpenDir);
602 if ((lastOpenDir = dupdirnode(current_dir)) == NULL) {
603 __audit_syslog("audit_binfile.so",
604 LOG_CONS | LOG_NDELAY,
605 LOG_DAEMON, LOG_ERR, gettext("no memory"));
606 return (0);
607 }
608 DPRINT((dbfp, "open_log created new lastOpenDir "
609 "(%s, %s [fd: %d])\n",
610 lastOpenDir->dl_dirname == NULL ? "" :
611 lastOpenDir->dl_dirname,
612 lastOpenDir->dl_filename == NULL ? "" :
613 lastOpenDir->dl_filename, lastOpenDir->dl_fd));
614 }
615
616 /*
617 * New file opened, so reset file size statistic (used
618 * to ensure audit log does not grow above size limit
619 * set by p_fsize).
620 */
621 binfile_cursize = 0;
622
623 (void) __logpost(newname);
624
625 DPRINT((dbfp, "binfile: Log opened: %s\n", newname));
626 return (1);
627 }
628 }
629
630 #define IGNORE_SIZE 8192
631 /*
632 * spacecheck - determine whether the given directory's filesystem
633 * has the at least the space requested. Also set the space
634 * value in the directory list structure. If the caller
635 * passes other than PLENTY_SPACE or SOFT_SPACE, the caller should
636 * ignore the return value. Otherwise, 0 = less than the
637 * requested space is available, 1 = at least the requested space
638 * is available.
639 *
640 * log_mutex must be held by the caller
641 *
642 * -1 is returned if stat fails
643 *
644 * IGNORE_SIZE is one page (Sol 9 / 10 timeframe) and is the default
645 * buffer size written for Sol 9 and earlier. To keep the same accuracy
646 * for the soft limit check as before, spacecheck checks for space
647 * remaining IGNORE_SIZE bytes. This reduces the number of statvfs()
648 * calls and related math.
649 *
650 * globals -
651 * minfree - the soft limit, i.e., the % of filesystem to reserve
652 */
653 static int
654 spacecheck(dirlist_t *thisdir, int test_limit, size_t next_buf_size)
655 {
656 struct statvfs sb;
657 static int ignore_size = 0;
658
659 ignore_size += next_buf_size;
660
661 if ((test_limit == PLENTY_SPACE) && (ignore_size < IGNORE_SIZE))
662 return (1);
663
664 assert(thisdir != NULL);
665
666 if (statvfs(thisdir->dl_dirname, &sb) < 0) {
667 thisdir->dl_space = SPACE_FULL;
668 minfreeblocks = AVAIL_MIN;
669 return (-1);
670 } else {
671 minfreeblocks = ((minfree * sb.f_blocks) / 100) + AVAIL_MIN;
672
673 if (sb.f_bavail < AVAIL_MIN)
674 thisdir->dl_space = SPACE_FULL;
675 else if (sb.f_bavail > minfreeblocks) {
676 thisdir->dl_space = fullness_state = PLENTY_SPACE;
677 ignore_size = 0;
678 } else
679 thisdir->dl_space = SOFT_SPACE;
680 }
681 if (thisdir->dl_space == PLENTY_SPACE)
682 return (1);
683
684 return (thisdir->dl_space == test_limit);
685 }
686
687 /*
688 * Parses p_fsize value and contains it within the range FSIZE_MIN and
689 * INT_MAX so using uints won't cause an undetected overflow of
690 * INT_MAX. Defaults to 0 if the value is invalid or is missing.
691 */
692 static void
693 save_maxsize(char *maxsize) {
694 /*
695 * strtol() returns a long which could be larger than int so
696 * store here for sanity checking first
697 */
698 long proposed_maxsize;
699
700 if (maxsize != NULL) {
701 /*
702 * There is no explicit error return from strtol() so
703 * we may need to depend on the value of errno.
704 */
705 errno = 0;
706 proposed_maxsize = strtol(maxsize, (char **)NULL, 10);
707
708 /*
709 * If sizeof(long) is greater than sizeof(int) on this
710 * platform, proposed_maxsize might be greater than
711 * INT_MAX without it being reported as ERANGE.
712 */
713 if ((errno == ERANGE) ||
714 ((proposed_maxsize != 0) &&
715 (proposed_maxsize < FSIZE_MIN)) ||
716 (proposed_maxsize > INT_MAX)) {
717 binfile_maxsize = 0;
718 DPRINT((dbfp, "binfile: p_fsize parameter out of "
719 "range: %s\n", maxsize));
720 /*
721 * Inform administrator of the error via
722 * syslog
723 */
724 __audit_syslog("audit_binfile.so",
725 LOG_CONS | LOG_NDELAY,
726 LOG_DAEMON, LOG_ERR,
727 gettext("p_fsize parameter out of range\n"));
728 } else {
729 binfile_maxsize = proposed_maxsize;
730 }
731 } else { /* p_fsize string was not present */
732 binfile_maxsize = 0;
733 }
734
735 DPRINT((dbfp, "binfile: set maxsize to %d\n", binfile_maxsize));
736 }
737
738 /*
739 * auditd_plugin() writes a buffer to the currently open file. The
740 * global "openNewFile" is used to force a new log file for cases such
741 * as the initial open, when minfree is reached, the p_fsize value is
742 * exceeded or the current file system fills up, and "audit -s" with
743 * changed parameters. For "audit -n" a new log file is opened
744 * immediately in auditd_plugin_open().
745 *
746 * This function manages one or more audit directories as follows:
747 *
748 * If the current open file is in a directory that has not
749 * reached the soft limit, write the input data and return.
750 *
751 * Scan the list of directories for one which has not reached
752 * the soft limit; if one is found, write and return. Such
753 * a writable directory is in "PLENTY_SPACE" state.
754 *
755 * Scan the list of directories for one which has not reached
756 * the hard limit; if one is found, write and return. This
757 * directory in in "SOFT_SPACE" state.
758 *
759 * Oh, and if a write fails, handle it like a hard space limit.
760 *
761 * audit_warn (via __audit_dowarn()) is used to alert an operator
762 * at various levels of fullness.
763 */
764 /* ARGSUSED */
765 auditd_rc_t
766 auditd_plugin(const char *input, size_t in_len, uint64_t sequence, char **error)
767 {
768 auditd_rc_t rc = AUDITD_FAIL;
769 int open_status;
770 size_t out_len;
771 /* avoid excess audit_warnage */
772 static int allsoftfull_warning = 0;
773 static int allhard_pause = 0;
774 static struct timeval next_allhard;
775 struct timeval now;
776 #if DEBUG
777 int statrc;
778 static char *last_file_written_to = NULL;
779 static uint64_t last_sequence = 0;
780 static uint64_t write_count = 0;
781
782 if ((last_sequence > 0) && (sequence != last_sequence + 1))
783 (void) fprintf(dbfp,
784 "binfile: buffer sequence=%llu but prev=%llu=n",
785 sequence, last_sequence);
786 last_sequence = sequence;
787
788 (void) fprintf(dbfp, "binfile: input seq=%llu, len=%d\n",
789 sequence, in_len);
790 #endif
791 *error = NULL;
792 /*
793 * lock is for activeDir, referenced by open_log() and close_log()
794 */
795 (void) pthread_mutex_lock(&log_mutex);
796
797 /*
798 * If this would take us over the maximum size, open a new
799 * file, unless maxsize is 0, in which case growth of the
800 * audit log is unrestricted.
801 */
802 if ((binfile_maxsize != 0) &&
803 ((binfile_cursize + in_len) > binfile_maxsize)) {
804 DPRINT((dbfp, "binfile: maxsize exceeded, opening new audit "
805 "file.\n"));
806 openNewFile = 1;
807 }
808
809 while (rc == AUDITD_FAIL) {
810 open_status = 1;
811 if (openNewFile) {
812 open_status = open_log(activeDir);
813 if (open_status == 1) /* ok */
814 openNewFile = 0;
815 }
816 /*
817 * consider "space ok" return and error return the same;
818 * a -1 means spacecheck couldn't check for space.
819 */
820 #if !DEBUG
821 if ((open_status == 1) &&
822 (spacecheck(activeDir, fullness_state, in_len) != 0)) {
823 #else
824 if ((open_status == 1) &&
825 (statrc = spacecheck(activeDir, fullness_state,
826 in_len) != 0)) {
827 DPRINT((dbfp, "binfile: returned from spacecheck\n"));
828 /*
829 * The last copy of last_file_written_to is
830 * never free'd, so there will be one open
831 * memory reference on exit. It's debug only.
832 */
833 if ((last_file_written_to != NULL) &&
834 (strcmp(last_file_written_to,
835 activeDir->dl_filename) != 0)) {
836 DPRINT((dbfp, "binfile: now writing to %s\n",
837 activeDir->dl_filename));
838 free(last_file_written_to);
839 }
840 DPRINT((dbfp, "binfile: finished some debug stuff\n"));
841 last_file_written_to =
842 strdup(activeDir->dl_filename);
843 #endif
844 out_len = write(activeDir->dl_fd, input, in_len);
845 DPRINT((dbfp, "binfile: finished the write\n"));
846
847 binfile_cursize += out_len;
848
849 if (out_len == in_len) {
850 DPRINT((dbfp,
851 "binfile: write_count=%llu, sequence=%llu,"
852 " l=%u\n",
853 ++write_count, sequence, out_len));
854 allsoftfull_warning = 0;
855 activeDir->dl_flags = 0;
856
857 rc = AUDITD_SUCCESS;
858 break;
859 } else if (!(activeDir->dl_flags & HARD_WARNED)) {
860 DPRINT((dbfp,
861 "binfile: write failed, sequence=%llu, "
862 "l=%u\n", sequence, out_len));
863 DPRINT((dbfp, "hard warning sent.\n"));
864 __audit_dowarn("hard", activeDir->dl_dirname,
865 0);
866
867 activeDir->dl_flags |= HARD_WARNED;
868 }
869 } else {
870 DPRINT((dbfp, "binfile: statrc=%d, fullness_state=%d\n",
871 statrc, fullness_state));
872 if (!(activeDir->dl_flags & SOFT_WARNED) &&
873 (activeDir->dl_space == SOFT_SPACE)) {
874 DPRINT((dbfp, "soft warning sent\n"));
875 __audit_dowarn("soft",
876 activeDir->dl_dirname, 0);
877 activeDir->dl_flags |= SOFT_WARNED;
878 }
879 if (!(activeDir->dl_flags & HARD_WARNED) &&
880 (activeDir->dl_space == SPACE_FULL)) {
881 DPRINT((dbfp, "hard warning sent.\n"));
882 __audit_dowarn("hard",
883 activeDir->dl_dirname, 0);
884 activeDir->dl_flags |= HARD_WARNED;
885 }
886 }
887 DPRINT((dbfp, "binfile: activeDir=%s, next=%s\n",
888 activeDir->dl_dirname, activeDir->dl_next->dl_dirname));
889
890 activeDir = activeDir->dl_next;
891 openNewFile = 1;
892
893 if (activeDir == startdir) { /* full circle */
894 if (fullness_state == PLENTY_SPACE) { /* once */
895 fullness_state = SOFT_SPACE;
896 if (allsoftfull_warning == 0) {
897 allsoftfull_warning++;
898 __audit_dowarn("allsoft", "", 0);
899 }
900 } else { /* full circle twice */
901 if ((hung_count > 0) && !allhard_pause) {
902 allhard_pause = 1;
903 (void) gettimeofday(&next_allhard,
904 NULL);
905 next_allhard.tv_sec += ALLHARD_DELAY;
906 }
907
908 if (allhard_pause) {
909 (void) gettimeofday(&now, NULL);
910 if (now.tv_sec >= next_allhard.tv_sec) {
911 allhard_pause = 0;
912 __audit_dowarn("allhard", "",
913 ++hung_count);
914 }
915 } else {
916 __audit_dowarn("allhard", "",
917 ++hung_count);
918 }
919 minfreeblocks = AVAIL_MIN;
920 rc = AUDITD_RETRY;
921 *error = strdup(gettext(
922 "all partitions full\n"));
923 (void) __logpost("");
924 }
925 }
926 }
927 (void) pthread_mutex_unlock(&log_mutex);
928
929 return (rc);
930 }
931
932
933 /*
934 * It may be called multiple times as auditd handles SIGHUP and SIGUSR1
935 * corresponding to the audit(1M) flags -s and -n
936 *
937 * kvlist is NULL only if auditd caught a SIGUSR1 (audit -n), so after the first
938 * time open is called; the reason is -s if kvlist != NULL and -n otherwise.
939 *
940 */
941 auditd_rc_t
942 auditd_plugin_open(const kva_t *kvlist, char **ret_list, char **error)
943 {
944 int rc = 0;
945 int status;
946 int reason;
947 char *dirlist;
948 char *minfree;
949 char *maxsize;
950 kva_t *kv;
951
952 *error = NULL;
953 *ret_list = NULL;
954 kv = (kva_t *)kvlist;
955
956 if (am_open) {
957 if (kvlist == NULL)
958 reason = 1; /* audit -n */
959 else
960 reason = 2; /* audit -s */
961 } else {
962 reason = 0; /* initial open */
963 #if DEBUG
964 dbfp = __auditd_debug_file_open();
965 #endif
966 }
967 DPRINT((dbfp, "binfile: am_open=%d, reason=%d\n", am_open, reason));
968
969 am_open = 1;
970
971 if (kvlist == NULL) {
972 dirlist = NULL;
973 minfree = NULL;
974 maxsize = NULL;
975 } else {
976 dirlist = kva_match(kv, "p_dir");
977 minfree = kva_match(kv, "p_minfree");
978 maxsize = kva_match(kv, "p_fsize");
979 }
980 switch (reason) {
981 case 0: /* initial open */
982 if (!binfile_is_open)
983 (void) pthread_mutex_init(&log_mutex, NULL);
984 binfile_is_open = 1;
985 openNewFile = 1;
986 /* FALLTHRU */
987 case 2: /* audit -s */
988 /* handle p_fsize parameter */
989 save_maxsize(maxsize);
990
991 fullness_state = PLENTY_SPACE;
992 status = loadauditlist(dirlist, minfree);
993
994 if (status == -1) {
995 (void) __logpost("");
996 *error = strdup(gettext("no directories configured"));
997 return (AUDITD_RETRY);
998 } else if (status == AUDITD_NO_MEMORY) {
999 (void) __logpost("");
1000 *error = strdup(gettext("no memory"));
1001 return (status);
1002 } else { /* status is 0 or -2 (no change or changed) */
1003 hung_count = 0;
1004 DPRINT((dbfp, "binfile: loadauditlist returned %d\n",
1005 status));
1006 }
1007 break;
1008 case 1: /* audit -n */
1009 (void) pthread_mutex_lock(&log_mutex);
1010 if (open_log(activeDir) == 1) /* ok */
1011 openNewFile = 0;
1012 (void) pthread_mutex_unlock(&log_mutex);
1013 break;
1014 }
1015
1016 rc = AUDITD_SUCCESS;
1017 *ret_list = NULL;
1018
1019 return (rc);
1020 }
1021
1022 auditd_rc_t
1023 auditd_plugin_close(char **error)
1024 {
1025 *error = NULL;
1026
1027 (void) pthread_mutex_lock(&log_mutex);
1028 close_log(&lastOpenDir, "", "");
1029 freedirlist(activeDir);
1030 activeDir = NULL;
1031 (void) pthread_mutex_unlock(&log_mutex);
1032
1033 DPRINT((dbfp, "binfile: closed\n"));
1034
1035 (void) __logpost("");
1036
1037 if (binfile_is_open) {
1038 (void) pthread_mutex_destroy(&log_mutex);
1039 binfile_is_open = 0;
1040 #if DEBUG
1041 } else {
1042 (void) fprintf(dbfp,
1043 "auditd_plugin_close() called when already closed.");
1044 #endif
1045 }
1046 am_open = 0;
1047 return (AUDITD_SUCCESS);
1048 }