freebsd-skq/sys/kern/kern_acct.c
Robert Watson 30d239bc4c Merge first in a series of TrustedBSD MAC Framework KPI changes
from Mac OS X Leopard--rationalize naming for entry points to
the following general forms:

  mac_<object>_<method/action>
  mac_<object>_check_<method/action>

The previous naming scheme was inconsistent and mostly
reversed from the new scheme.  Also, make object types more
consistent and remove spaces from object types that contain
multiple parts ("posix_sem" -> "posixsem") to make mechanical
parsing easier.  Introduce a new "netinet" object type for
certain IPv4/IPv6-related methods.  Also simplify, slightly,
some entry point names.

All MAC policy modules will need to be recompiled, and modules
not updates as part of this commit will need to be modified to
conform to the new KPI.

Sponsored by:	SPARTA (original patches against Mac OS X)
Obtained from:	TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00

657 lines
19 KiB
C

/*-
* Copyright (c) 1982, 1986, 1989, 1993
* The Regents of the University of California. All rights reserved.
* (c) UNIX System Laboratories, Inc.
* Copyright (c) 2005 Robert N. M. Watson
* All rights reserved.
*
* All or some portions of this file are derived from material licensed
* to the University of California by American Telephone and Telegraph
* Co. or Unix System Laboratories, Inc. and are reproduced herein with
* the permission of UNIX System Laboratories, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* Copyright (c) 1994 Christopher G. Demetriou
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)kern_acct.c 8.1 (Berkeley) 6/14/93
*/
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include "opt_mac.h"
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/acct.h>
#include <sys/fcntl.h>
#include <sys/kernel.h>
#include <sys/kthread.h>
#include <sys/limits.h>
#include <sys/lock.h>
#include <sys/mount.h>
#include <sys/mutex.h>
#include <sys/namei.h>
#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/resourcevar.h>
#include <sys/sched.h>
#include <sys/sx.h>
#include <sys/sysctl.h>
#include <sys/sysent.h>
#include <sys/syslog.h>
#include <sys/sysproto.h>
#include <sys/tty.h>
#include <sys/vnode.h>
#include <security/mac/mac_framework.h>
/*
* The routines implemented in this file are described in:
* Leffler, et al.: The Design and Implementation of the 4.3BSD
* UNIX Operating System (Addison Welley, 1989)
* on pages 62-63.
* On May 2007 the historic 3 bits base 8 exponent, 13 bit fraction
* compt_t representation described in the above reference was replaced
* with that of IEEE-754 floats.
*
* Arguably, to simplify accounting operations, this mechanism should
* be replaced by one in which an accounting log file (similar to /dev/klog)
* is read by a user process, etc. However, that has its own problems.
*/
/* Floating point definitions from <float.h>. */
#define FLT_MANT_DIG 24 /* p */
#define FLT_MAX_EXP 128 /* emax */
/*
* Internal accounting functions.
* The former's operation is described in Leffler, et al., and the latter
* was provided by UCB with the 4.4BSD-Lite release
*/
static uint32_t encode_timeval(struct timeval);
static uint32_t encode_long(long);
static void acctwatch(void);
static void acct_thread(void *);
static int acct_disable(struct thread *);
/*
* Accounting vnode pointer, saved vnode pointer, and flags for each.
* acct_sx protects against changes to the active vnode and credentials
* while accounting records are being committed to disk.
*/
static int acct_configured;
static int acct_suspended;
static struct vnode *acct_vp;
static struct ucred *acct_cred;
static int acct_flags;
static struct sx acct_sx;
SX_SYSINIT(acct, &acct_sx, "acct_sx");
/*
* State of the accounting kthread.
*/
static int acct_state;
#define ACCT_RUNNING 1 /* Accounting kthread is running. */
#define ACCT_EXITREQ 2 /* Accounting kthread should exit. */
/*
* Values associated with enabling and disabling accounting
*/
static int acctsuspend = 2; /* stop accounting when < 2% free space left */
SYSCTL_INT(_kern, OID_AUTO, acct_suspend, CTLFLAG_RW,
&acctsuspend, 0, "percentage of free disk space below which accounting stops");
static int acctresume = 4; /* resume when free space risen to > 4% */
SYSCTL_INT(_kern, OID_AUTO, acct_resume, CTLFLAG_RW,
&acctresume, 0, "percentage of free disk space above which accounting resumes");
static int acctchkfreq = 15; /* frequency (in seconds) to check space */
static int
sysctl_acct_chkfreq(SYSCTL_HANDLER_ARGS)
{
int error, value;
/* Write out the old value. */
error = SYSCTL_OUT(req, &acctchkfreq, sizeof(int));
if (error || req->newptr == NULL)
return (error);
/* Read in and verify the new value. */
error = SYSCTL_IN(req, &value, sizeof(int));
if (error)
return (error);
if (value <= 0)
return (EINVAL);
acctchkfreq = value;
return (0);
}
SYSCTL_PROC(_kern, OID_AUTO, acct_chkfreq, CTLTYPE_INT|CTLFLAG_RW,
&acctchkfreq, 0, sysctl_acct_chkfreq, "I",
"frequency for checking the free space");
SYSCTL_INT(_kern, OID_AUTO, acct_configured, CTLFLAG_RD, &acct_configured, 0,
"Accounting configured or not");
SYSCTL_INT(_kern, OID_AUTO, acct_suspended, CTLFLAG_RD, &acct_suspended, 0,
"Accounting suspended or not");
/*
* Accounting system call. Written based on the specification and previous
* implementation done by Mark Tinguely.
*/
int
acct(struct thread *td, struct acct_args *uap)
{
struct nameidata nd;
int error, flags, vfslocked;
error = priv_check(td, PRIV_ACCT);
if (error)
return (error);
/*
* If accounting is to be started to a file, open that file for
* appending and make sure it's a 'normal'.
*/
if (uap->path != NULL) {
NDINIT(&nd, LOOKUP, NOFOLLOW | MPSAFE | AUDITVNODE1,
UIO_USERSPACE, uap->path, td);
flags = FWRITE | O_APPEND;
error = vn_open(&nd, &flags, 0, NULL);
if (error)
return (error);
vfslocked = NDHASGIANT(&nd);
NDFREE(&nd, NDF_ONLY_PNBUF);
#ifdef MAC
error = mac_system_check_acct(td->td_ucred, nd.ni_vp);
if (error) {
VOP_UNLOCK(nd.ni_vp, 0, td);
vn_close(nd.ni_vp, flags, td->td_ucred, td);
VFS_UNLOCK_GIANT(vfslocked);
return (error);
}
#endif
VOP_UNLOCK(nd.ni_vp, 0, td);
if (nd.ni_vp->v_type != VREG) {
vn_close(nd.ni_vp, flags, td->td_ucred, td);
VFS_UNLOCK_GIANT(vfslocked);
return (EACCES);
}
VFS_UNLOCK_GIANT(vfslocked);
#ifdef MAC
} else {
error = mac_system_check_acct(td->td_ucred, NULL);
if (error)
return (error);
#endif
}
/*
* Disallow concurrent access to the accounting vnode while we swap
* it out, in order to prevent access after close.
*/
sx_xlock(&acct_sx);
/*
* If accounting was previously enabled, kill the old space-watcher,
* close the file, and (if no new file was specified, leave). Reset
* the suspended state regardless of whether accounting remains
* enabled.
*/
acct_suspended = 0;
if (acct_vp != NULL) {
vfslocked = VFS_LOCK_GIANT(acct_vp->v_mount);
error = acct_disable(td);
VFS_UNLOCK_GIANT(vfslocked);
}
if (uap->path == NULL) {
if (acct_state & ACCT_RUNNING) {
acct_state |= ACCT_EXITREQ;
wakeup(&acct_state);
}
sx_xunlock(&acct_sx);
return (error);
}
/*
* Save the new accounting file vnode, and schedule the new
* free space watcher.
*/
acct_vp = nd.ni_vp;
acct_cred = crhold(td->td_ucred);
acct_flags = flags;
if (acct_state & ACCT_RUNNING)
acct_state &= ~ACCT_EXITREQ;
else {
/*
* Try to start up an accounting kthread. We may start more
* than one, but if so the extras will commit suicide as
* soon as they start up.
*/
error = kproc_create(acct_thread, NULL, NULL, 0, 0,
"accounting");
if (error) {
vfslocked = VFS_LOCK_GIANT(acct_vp->v_mount);
(void) vn_close(acct_vp, acct_flags, acct_cred, td);
VFS_UNLOCK_GIANT(vfslocked);
crfree(acct_cred);
acct_configured = 0;
acct_vp = NULL;
acct_cred = NULL;
acct_flags = 0;
sx_xunlock(&acct_sx);
log(LOG_NOTICE, "Unable to start accounting thread\n");
return (error);
}
}
acct_configured = 1;
sx_xunlock(&acct_sx);
log(LOG_NOTICE, "Accounting enabled\n");
return (error);
}
/*
* Disable currently in-progress accounting by closing the vnode, dropping
* our reference to the credential, and clearing the vnode's flags.
*/
static int
acct_disable(struct thread *td)
{
int error;
sx_assert(&acct_sx, SX_XLOCKED);
error = vn_close(acct_vp, acct_flags, acct_cred, td);
crfree(acct_cred);
acct_configured = 0;
acct_vp = NULL;
acct_cred = NULL;
acct_flags = 0;
log(LOG_NOTICE, "Accounting disabled\n");
return (error);
}
/*
* Write out process accounting information, on process exit.
* Data to be written out is specified in Leffler, et al.
* and are enumerated below. (They're also noted in the system
* "acct.h" header file.)
*/
int
acct_process(struct thread *td)
{
struct acctv2 acct;
struct timeval ut, st, tmp;
struct plimit *newlim, *oldlim;
struct proc *p;
struct rusage ru;
int t, ret, vfslocked;
/*
* Lockless check of accounting condition before doing the hard
* work.
*/
if (acct_vp == NULL || acct_suspended)
return (0);
sx_slock(&acct_sx);
/*
* If accounting isn't enabled, don't bother. Have to check again
* once we own the lock in case we raced with disabling of accounting
* by another thread.
*/
if (acct_vp == NULL || acct_suspended) {
sx_sunlock(&acct_sx);
return (0);
}
p = td->td_proc;
/*
* Get process accounting information.
*/
PROC_LOCK(p);
/* (1) The name of the command that ran */
bcopy(p->p_comm, acct.ac_comm, sizeof acct.ac_comm);
/* (2) The amount of user and system time that was used */
rufetchcalc(p, &ru, &ut, &st);
acct.ac_utime = encode_timeval(ut);
acct.ac_stime = encode_timeval(st);
/* (3) The elapsed time the command ran (and its starting time) */
tmp = boottime;
timevaladd(&tmp, &p->p_stats->p_start);
acct.ac_btime = tmp.tv_sec;
microuptime(&tmp);
timevalsub(&tmp, &p->p_stats->p_start);
acct.ac_etime = encode_timeval(tmp);
/* (4) The average amount of memory used */
tmp = ut;
timevaladd(&tmp, &st);
/* Convert tmp (i.e. u + s) into hz units to match ru_i*. */
t = tmp.tv_sec * hz + tmp.tv_usec / tick;
if (t)
acct.ac_mem = encode_long((ru.ru_ixrss + ru.ru_idrss +
+ ru.ru_isrss) / t);
else
acct.ac_mem = 0;
/* (5) The number of disk I/O operations done */
acct.ac_io = encode_long(ru.ru_inblock + ru.ru_oublock);
/* (6) The UID and GID of the process */
acct.ac_uid = p->p_ucred->cr_ruid;
acct.ac_gid = p->p_ucred->cr_rgid;
/* (7) The terminal from which the process was started */
SESS_LOCK(p->p_session);
if ((p->p_flag & P_CONTROLT) && p->p_pgrp->pg_session->s_ttyp)
acct.ac_tty = dev2udev(p->p_pgrp->pg_session->s_ttyp->t_dev);
else
acct.ac_tty = NODEV;
SESS_UNLOCK(p->p_session);
/* (8) The boolean flags that tell how the process terminated, etc. */
acct.ac_flagx = p->p_acflag;
PROC_UNLOCK(p);
/* Setup ancillary structure fields. */
acct.ac_flagx |= ANVER;
acct.ac_zero = 0;
acct.ac_version = 2;
acct.ac_len = acct.ac_len2 = sizeof(acct);
/*
* Eliminate any file size rlimit.
*/
newlim = lim_alloc();
PROC_LOCK(p);
oldlim = p->p_limit;
lim_copy(newlim, oldlim);
newlim->pl_rlimit[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
p->p_limit = newlim;
PROC_UNLOCK(p);
lim_free(oldlim);
/*
* Write the accounting information to the file.
*/
vfslocked = VFS_LOCK_GIANT(acct_vp->v_mount);
VOP_LEASE(acct_vp, td, acct_cred, LEASE_WRITE);
ret = vn_rdwr(UIO_WRITE, acct_vp, (caddr_t)&acct, sizeof (acct),
(off_t)0, UIO_SYSSPACE, IO_APPEND|IO_UNIT, acct_cred, NOCRED,
(int *)0, td);
VFS_UNLOCK_GIANT(vfslocked);
sx_sunlock(&acct_sx);
return (ret);
}
/* FLOAT_CONVERSION_START (Regression testing; don't remove this line.) */
/* Convert timevals and longs into IEEE-754 bit patterns. */
/* Mantissa mask (MSB is implied, so subtract 1). */
#define MANT_MASK ((1 << (FLT_MANT_DIG - 1)) - 1)
/*
* We calculate integer values to a precision of approximately
* 28 bits.
* This is high-enough precision to fill the 24 float bits
* and low-enough to avoid overflowing the 32 int bits.
*/
#define CALC_BITS 28
/* log_2(1000000). */
#define LOG2_1M 20
/*
* Convert the elements of a timeval into a 32-bit word holding
* the bits of a IEEE-754 float.
* The float value represents the timeval's value in microsecond units.
*/
static uint32_t
encode_timeval(struct timeval tv)
{
int log2_s;
int val, exp; /* Unnormalized value and exponent */
int norm_exp; /* Normalized exponent */
int shift;
/*
* First calculate value and exponent to about CALC_BITS precision.
* Note that the following conditionals have been ordered so that
* the most common cases appear first.
*/
if (tv.tv_sec == 0) {
if (tv.tv_usec == 0)
return (0);
exp = 0;
val = tv.tv_usec;
} else {
/*
* Calculate the value to a precision of approximately
* CALC_BITS.
*/
log2_s = fls(tv.tv_sec) - 1;
if (log2_s + LOG2_1M < CALC_BITS) {
exp = 0;
val = 1000000 * tv.tv_sec + tv.tv_usec;
} else {
exp = log2_s + LOG2_1M - CALC_BITS;
val = (unsigned int)(((u_int64_t)1000000 * tv.tv_sec +
tv.tv_usec) >> exp);
}
}
/* Now normalize and pack the value into an IEEE-754 float. */
norm_exp = fls(val) - 1;
shift = FLT_MANT_DIG - norm_exp - 1;
#ifdef ACCT_DEBUG
printf("val=%d exp=%d shift=%d log2(val)=%d\n",
val, exp, shift, norm_exp);
printf("exp=%x mant=%x\n", FLT_MAX_EXP - 1 + exp + norm_exp,
((shift > 0 ? (val << shift) : (val >> -shift)) & MANT_MASK));
#endif
return (((FLT_MAX_EXP - 1 + exp + norm_exp) << (FLT_MANT_DIG - 1)) |
((shift > 0 ? val << shift : val >> -shift) & MANT_MASK));
}
/*
* Convert a non-negative long value into the bit pattern of
* an IEEE-754 float value.
*/
static uint32_t
encode_long(long val)
{
int norm_exp; /* Normalized exponent */
int shift;
if (val == 0)
return (0);
if (val < 0) {
log(LOG_NOTICE,
"encode_long: negative value %ld in accounting record\n",
val);
val = LONG_MAX;
}
norm_exp = fls(val) - 1;
shift = FLT_MANT_DIG - norm_exp - 1;
#ifdef ACCT_DEBUG
printf("val=%d shift=%d log2(val)=%d\n",
val, shift, norm_exp);
printf("exp=%x mant=%x\n", FLT_MAX_EXP - 1 + exp + norm_exp,
((shift > 0 ? (val << shift) : (val >> -shift)) & MANT_MASK));
#endif
return (((FLT_MAX_EXP - 1 + norm_exp) << (FLT_MANT_DIG - 1)) |
((shift > 0 ? val << shift : val >> -shift) & MANT_MASK));
}
/* FLOAT_CONVERSION_END (Regression testing; don't remove this line.) */
/*
* Periodically check the filesystem to see if accounting
* should be turned on or off. Beware the case where the vnode
* has been vgone()'d out from underneath us, e.g. when the file
* system containing the accounting file has been forcibly unmounted.
*/
/* ARGSUSED */
static void
acctwatch(void)
{
struct statfs sb;
int vfslocked;
sx_assert(&acct_sx, SX_XLOCKED);
/*
* If accounting was disabled before our kthread was scheduled,
* then acct_vp might be NULL. If so, just ask our kthread to
* exit and return.
*/
if (acct_vp == NULL) {
acct_state |= ACCT_EXITREQ;
return;
}
/*
* If our vnode is no longer valid, tear it down and signal the
* accounting thread to die.
*/
vfslocked = VFS_LOCK_GIANT(acct_vp->v_mount);
if (acct_vp->v_type == VBAD) {
(void) acct_disable(NULL);
VFS_UNLOCK_GIANT(vfslocked);
acct_state |= ACCT_EXITREQ;
return;
}
/*
* Stopping here is better than continuing, maybe it will be VBAD
* next time around.
*/
if (VFS_STATFS(acct_vp->v_mount, &sb, curthread) < 0) {
VFS_UNLOCK_GIANT(vfslocked);
return;
}
VFS_UNLOCK_GIANT(vfslocked);
if (acct_suspended) {
if (sb.f_bavail > (int64_t)(acctresume * sb.f_blocks /
100)) {
acct_suspended = 0;
log(LOG_NOTICE, "Accounting resumed\n");
}
} else {
if (sb.f_bavail <= (int64_t)(acctsuspend * sb.f_blocks /
100)) {
acct_suspended = 1;
log(LOG_NOTICE, "Accounting suspended\n");
}
}
}
/*
* The main loop for the dedicated kernel thread that periodically calls
* acctwatch().
*/
static void
acct_thread(void *dummy)
{
u_char pri;
/* This is a low-priority kernel thread. */
pri = PRI_MAX_KERN;
thread_lock(curthread);
sched_prio(curthread, pri);
thread_unlock(curthread);
/* If another accounting kthread is already running, just die. */
sx_xlock(&acct_sx);
if (acct_state & ACCT_RUNNING) {
sx_xunlock(&acct_sx);
kproc_exit(0);
}
acct_state |= ACCT_RUNNING;
/* Loop until we are asked to exit. */
while (!(acct_state & ACCT_EXITREQ)) {
/* Perform our periodic checks. */
acctwatch();
/*
* We check this flag again before sleeping since the
* acctwatch() might have shut down accounting and asked us
* to exit.
*/
if (!(acct_state & ACCT_EXITREQ)) {
sx_sleep(&acct_state, &acct_sx, 0, "-",
acctchkfreq * hz);
}
}
/*
* Acknowledge the exit request and shutdown. We clear both the
* exit request and running flags.
*/
acct_state = 0;
sx_xunlock(&acct_sx);
kproc_exit(0);
}