/*
* Copyright (c) 2007 by Apple Computer, Inc., All Rights Reserved.
* Copyright (C) 2011-2013 Sourcefire, Inc.
*/
#include <kern/assert.h>
#include <mach/mach_types.h>
#include <libkern/libkern.h>
#include <libkern/OSAtomic.h>
#include <libkern/OSMalloc.h>
#include <sys/sysctl.h>
#include <sys/systm.h>
#include <sys/kauth.h>
#include <sys/vnode.h>
#include <sys/uio.h>
#include <sys/conf.h>
#include <miscfs/devfs/devfs.h>
#define CLAMAUTH_VERSION "0.3"
#define CLAMAUTH_PROTOCOL_VERSION 2
#pragma mark ***** Global Resources
/* These declarations are required to allocate memory and create locks.
* They're created when we start and destroyed when we stop.
*/
static OSMallocTag gMallocTag = NULL;
static lck_grp_t * gLockGroup = NULL;
#define CLAMAUTH_EVENTS (KAUTH_VNODE_EXECUTE)
struct AuthEvent {
/* don't change the first two fields */
UInt32 action;
char path[1024];
UInt32 pid;
};
#define EVENTQSIZE 64
struct AuthEventQueue {
struct AuthEvent queue[EVENTQSIZE];
int cnt, first, last;
};
void AuthEventInitQueue(struct AuthEventQueue *queue);
void AuthEventEnqueue(struct AuthEventQueue *queue, struct AuthEvent *event);
int AuthEventDequeue(struct AuthEventQueue *queue, struct AuthEvent *event);
void AuthEventInitQueue(struct AuthEventQueue *queue)
{
memset(queue, 0, sizeof(struct AuthEventQueue));
queue->first = queue->cnt = 0;
queue->last = EVENTQSIZE - 1;
}
void AuthEventEnqueue(struct AuthEventQueue *queue, struct AuthEvent *event)
{
queue->last = (queue->last + 1) % EVENTQSIZE;
memcpy(&queue->queue[queue->last], event, sizeof(struct AuthEvent));
queue->cnt++;
}
int AuthEventDequeue(struct AuthEventQueue *queue, struct AuthEvent *event)
{
if(!queue->cnt)
return 1;
memcpy(event, &queue->queue[queue->first], sizeof(struct AuthEvent));
queue->first = (queue->first + 1) % EVENTQSIZE;
queue->cnt--;
return 0;
}
struct AuthEventQueue gEventQueue;
static lck_mtx_t *gEventQueueLock = NULL;
static SInt32 gEventCount = 0;
#define MAX_PREFIX_NUM 10
#define MAX_PREFIX_LEN 128
static char gPrefixTable[MAX_PREFIX_NUM][MAX_PREFIX_LEN];
static unsigned int gPrefixCount = 0;
static int CreateVnodePath(vnode_t vp, char **vpPathPtr)
/* Creates a full path for a vnode. vp may be NULL, in which
* case the returned path is NULL (that is, no memory is allocated).
* vpPathPtr is a place to store the allocated path buffer.
* The caller is responsible for freeing this memory using OSFree
* (the size is always MAXPATHLEN).
*/
{
int err;
int pathLen;
assert( vpPathPtr != NULL);
assert(*vpPathPtr == NULL);
err = 0;
if (vp != NULL) {
*vpPathPtr = OSMalloc(MAXPATHLEN, gMallocTag);
if (*vpPathPtr == NULL) {
err = ENOMEM;
}
if (err == 0) {
pathLen = MAXPATHLEN;
err = vn_getpath(vp, *vpPathPtr, &pathLen);
}
}
return err;
}
/* /dev/clamauth handling */
static int ca_devidx = -1;
static void *ca_devnode = NULL;
int dev_open = 0, dev_read = 0;
static int ca_open(dev_t dev, int flag, int devtype, proc_t p)
{
if(dev_open)
return EBUSY;
dev_open = 1;
return 0;
}
static int ca_close(dev_t dev, int flag, int devtype, proc_t p)
{
struct AuthEvent event;
lck_mtx_lock(gEventQueueLock);
dev_open = 0;
dev_read = 0;
AuthEventInitQueue(&gEventQueue);
/* Initialize event queue and add version info event */
event.action = CLAMAUTH_PROTOCOL_VERSION;
strncpy(event.path, "ClamAuth "CLAMAUTH_VERSION"", sizeof(event.path));
event.pid = 0xdeadbeef;
AuthEventEnqueue(&gEventQueue, &event);
lck_mtx_unlock(gEventQueueLock);
return 0;
}
static int ca_read(dev_t dev, uio_t uio, int ioflag)
{
int ret = 0, size, retq = 0;
struct AuthEvent event;
struct timespec waittime;
waittime.tv_sec = 1;
waittime.tv_nsec = 0;
while(uio_resid(uio) > 0) {
lck_mtx_lock(gEventQueueLock);
retq = AuthEventDequeue(&gEventQueue, &event);
dev_read = 1;
lck_mtx_unlock(gEventQueueLock);
if(retq != 1) {
/* snprintf(info, sizeof(info), "PATH: %s, PID: %d, ACTION: %d\n", event.path, event.pid, event.action); */
size = MIN(uio_resid(uio), sizeof(event));
ret = uiomove((const char *) &event, size, uio);
if(ret)
break;
} else {
//(void) msleep(&gEventQueue, NULL, PUSER, "events", &waittime);
break;
}
}
if(ret) {
printf("ClamAuth: uiomove() failed\n");
}
return ret;
}
static int ca_write(dev_t dev, uio_t uio, int ioflag)
{
return EBADF;
}
static int ca_ioctl(dev_t dev, u_long cmd, caddr_t addr, int flag, proc_t p)
{
return EBADF;
}
static int ca_select(dev_t dev, int flag, void * wql, proc_t p)
{
return EBADF;
}
static struct cdevsw clamauth_cdevsw = {
ca_open,
ca_close,
ca_read,
ca_write,
ca_ioctl,
eno_stop,
eno_reset,
NULL,
ca_select,
eno_mmap,
eno_strat,
eno_getc,
eno_putc,
0
};
static int ca_remove(void)
{
if(ca_devnode)
devfs_remove(ca_devnode);
if(ca_devidx != -1) {
if(cdevsw_remove(ca_devidx, &clamauth_cdevsw) != ca_devidx) {
printf("ClamAuth: cdevsw_remove() failed\n");
return KERN_FAILURE;
}
}
return KERN_SUCCESS;
}
#pragma mark ***** Listener Resources
/* Some scopes (for example KAUTH_SCOPE_VNODE) are called a /lot/. Thus,
* it's a good idea to avoid taking mutexes in your listener if at all
* possible. Thus, we use non-blocking synchronisation to protect the
* global data that's accessed by our listener (gPrefix).
* Every time we enter a listener, we increment gActivationCount, and ever
* time we leave we decrement it. When we want to change the listener, we
* first remove the listener, then we wait for the activation count to hit,
* then we can modify the globals protected by that activation count.
*
* IMPORTANT:
* There is still a race condition here. See RemoveListener for a description
* of the race and why we can't fix it.
*/
static SInt32 gActivationCount = 0;
static int VnodeScopeListener(
kauth_cred_t credential,
void * idata,
kauth_action_t action,
uintptr_t arg0,
uintptr_t arg1,
uintptr_t arg2,
uintptr_t arg3
)
/* A Kauth listener that's called to authorize an action in the vnode scope */
{
#pragma unused(credential)
#pragma unused(idata)
#pragma unused(arg3)
int err;
vfs_context_t context;
vnode_t vp;
vnode_t dvp;
char * vpPath;
char * dvpPath;
struct AuthEvent event;
unsigned int i, mpath = 0;
(void) OSIncrementAtomic(&gActivationCount);
context = (vfs_context_t) arg0;
vp = (vnode_t) arg1;
dvp = (vnode_t) arg2;
vpPath = NULL;
dvpPath = NULL;
/* Convert the vnode, if any, to a path. */
err = CreateVnodePath(vp, &vpPath);
/* Convert the parent directory vnode, if any, to a path. */
if (err == 0)
err = CreateVnodePath(dvp, &dvpPath);
/* Tell the user about this request. Note that we filter requests
* based on gPrefix. If gPrefix is set, only requests where one
* of the paths is prefixed by gPrefix will be printed.
*/
if (err == 0) {
for(i = 0; i < gPrefixCount; i++) {
if(vpPath && strprefix(vpPath, gPrefixTable[i])) {
mpath = 1;
} else if(dvpPath && strprefix(dvpPath, gPrefixTable[i])) {
mpath = 1;
}
if(mpath)
break;
}
if (mpath) {
if(action & CLAMAUTH_EVENTS)
printf(
"scope=" KAUTH_SCOPE_VNODE ", uid=%ld, vp=%s, dvp=%s\n",
(long) kauth_cred_getuid(vfs_context_ucred(context)),
(vpPath != NULL) ? vpPath : "<null>",
(dvpPath != NULL) ? dvpPath : "<null>"
);
event.pid = vfs_context_pid(context);
event.action = action;
if(vpPath) {
strncpy(event.path, vpPath, sizeof(event.path));
event.path[sizeof(event.path) - 1] = 0;
} else {
event.path[0] = 0;
}
lck_mtx_lock(gEventQueueLock);
if(dev_read && (action & CLAMAUTH_EVENTS)) {
// printf("gPrefix: %s, vpPath: %s, dvpPath: %s, action: %d\n", gPrefix, vpPath ? vpPath : "<null>", dvpPath ? dvpPath : "<null>", action);
AuthEventEnqueue(&gEventQueue, &event);
}
lck_mtx_unlock(gEventQueueLock);
(void) OSIncrementAtomic(&gEventCount);
}
} else {
printf("ClamAuth.VnodeScopeListener: Error %d.\n", err);
}
if (vpPath != NULL) {
OSFree(vpPath, MAXPATHLEN, gMallocTag);
}
if (dvpPath != NULL) {
OSFree(dvpPath, MAXPATHLEN, gMallocTag);
}
(void) OSDecrementAtomic(&gActivationCount);
return KAUTH_RESULT_DEFER;
}
static int FileOpScopeListener(
kauth_cred_t credential,
void * idata,
kauth_action_t action,
uintptr_t arg0,
uintptr_t arg1,
uintptr_t arg2,
uintptr_t arg3
)
/* A Kauth listener that's called to authorize an action in the file operation */
{
#pragma unused(credential)
#pragma unused(idata)
#pragma unused(arg2)
#pragma unused(arg3)
struct AuthEvent event;
vfs_context_t context;
const char *path;
unsigned int i, mpath = 0;
if(!dev_read)
return KAUTH_RESULT_DEFER;
context = (vfs_context_t) arg0;
path = (const char *) arg1;
(void) OSIncrementAtomic(&gActivationCount);
switch (action) {
/* case KAUTH_FILEOP_OPEN: */
case KAUTH_FILEOP_EXEC:
for(i = 0; i < gPrefixCount; i++) {
if(strprefix((const char *) arg1, gPrefixTable[i])) {
mpath = 1;
break;
}
}
if(mpath) {
event.pid = vfs_context_pid(context);
event.action = action;
strncpy(event.path, path, sizeof(event.path));
event.path[sizeof(event.path) - 1] = 0;
lck_mtx_lock(gEventQueueLock);
if(dev_read)
AuthEventEnqueue(&gEventQueue, &event);
lck_mtx_unlock(gEventQueueLock);
}
break;
default:
break;
}
(void) OSDecrementAtomic(&gActivationCount);
return KAUTH_RESULT_DEFER;
}
#pragma mark ***** Listener Install/Remove
/* gConfigurationLock is a mutex that protects us from two threads trying to
* simultaneously modify the configuration. The configuration is protect in
* N ways:
*
* o During startup, we register our sysctl OID last, so no one can start
* modifying the configuration until everything is set up nicely.
*
* o During normal operations, the sysctl handler (SysctlHandler) takes
* the lock to prevent two threads from reconfiguring the system at the
* same time.
*
* o During termination, the stop routine first removes the sysctl OID
* and then takes the lock before it removes the listener. The first
* act prevents any new sysctl requests coming it, the second blocks
* until current sysctl requests are done.
*
* IMPORTANT:
* There is still a race condition here. See the stop routine for a description
* of the race and why we can't fix it.
*/
static lck_mtx_t * gConfigurationLock = NULL;
/* gListener is our handle to the installed scope listener. We need to
* keep it around so that we can remove the listener when we're done.
*/
static kauth_listener_t gListener = NULL;
static void RemoveListener(void)
/* Removes the installed scope listener, if any.
*
* Under almost all circumstances this routine runs under the
* gConfigurationLock. The only time that this might not be the case
* is when the KEXT's start routine fails prior to gConfigurationLock
* being created.
*/
{
/* First prevent any more threads entering our listener. */
if (gListener != NULL) {
kauth_unlisten_scope(gListener);
gListener = NULL;
}
/* Then wait for any threads within out listener to stop. Note that there
* is still a race condition here; there could still be a thread executing
* between the OSDecrementAtomic and the return from the listener function
* (for example, FileOpScopeListener). However, there's no way to close
* this race because of the weak concurrency guarantee for kauth_unlisten_scope.
* Moreover, the window is very small and, seeing as this only happens during
* reconfiguration, I'm not too worried. However, I am worried enough
* to ensure that this loop runs at least once, so we always delay the teardown
* for at least one second waiting for the threads to drain from our
* listener.
*/
do {
struct timespec oneSecond;
oneSecond.tv_sec = 1;
oneSecond.tv_nsec = 0;
(void) msleep(&gActivationCount, NULL, PUSER, "com_apple_dts_kext_ClamAuth.RemoveListener", &oneSecond);
} while ( gActivationCount > 0 );
}
static void InstallListener(void)
/* Installs a listener for the specified scope. scope and scopeLen specifies
* the scope to listen for. prefix is a parameter for the scope listener.
* It may be NULL.
*
* prefix points into the gConfiguration global variable, so this routine
* doesn't make a copy of it. However, it has to make a copy of scope
* because scope can point to a place in the middle of the gConfiguration
* variable, so there's no guarantee it's null terminated (which we need it
* to be in order to call kauth_listen_scope.
*
* This routine always runs under the gConfigurationLock.
*/
{
assert(gListener == NULL);
//gListener = kauth_listen_scope(KAUTH_SCOPE_VNODE, VnodeScopeListener, NULL);
gListener = kauth_listen_scope(KAUTH_SCOPE_FILEOP, FileOpScopeListener, NULL);
if (gListener == NULL) {
printf("ClamAuth.InstallListener: Could not create gListener.\n");
RemoveListener();
} else {
printf("ClamAuth: Installed file listener\n");
}
}
static void ConfigureKauth(const char *configuration)
/* This routine is called by the sysctl handler when it notices
* that the configuration has changed. It's responsible for
* parsing the new configuration string and updating the listener.
*
* See SysctlHandler for a description of how I chose to handle the
* failure case.
*
* This routine always runs under the gConfigurationLock.
*/
{
unsigned int i = 0;
assert(configuration != NULL);
/* Remove the existing listener. */
RemoveListener();
/* Parse the configuration string and install the new listener. */
if (strcmp(configuration, "remove") == 0) {
printf("ClamAuth.ConfigureKauth: Removed listener.\n");
} else if ( strprefix(configuration, "monitor ") ) {
const char *cursor;
/* Skip the "monitor ". */
cursor = configuration + strlen("monitor ");
gPrefixCount = 0;
while(*cursor == ' ')
cursor++;
if (!*cursor) {
printf("ClamAuth.ConfigureKauth: Bad configuration '%s'.\n", configuration);
return;
}
while(1) {
if(i < MAX_PREFIX_LEN - 1) {
if(*cursor == ' ') {
gPrefixTable[gPrefixCount][i] = 0;
gPrefixCount++;
i = 0;
if(gPrefixCount >= MAX_PREFIX_NUM) {
printf("ClamAuth.ConfigureKauth: Too many paths (> %u).\n", MAX_PREFIX_NUM);
gPrefixCount = 0;
return;
}
} else {
gPrefixTable[gPrefixCount][i++] = *cursor;
}
} else {
printf("ClamAuth.ConfigureKauth: Path too long (%u > %u).\n", i, MAX_PREFIX_LEN);
gPrefixCount = 0;
return;
}
cursor++;
if(!*cursor) {
gPrefixTable[gPrefixCount][i] = 0;
gPrefixCount++;
break;
}
}
printf("ClamAuth.ConfigureKauth: Monitoring %u path(s)\n", gPrefixCount);
InstallListener();
}
}
/* gConfiguration holds our current configuration string. It's modified by
* SysctlHandler (well, by sysctl_handle_string which is called by SysctlHandler).
*/
static char gConfiguration[1024];
static int SysctlHandler(
struct sysctl_oid * oidp,
void * arg1,
int arg2,
struct sysctl_req * req
)
/* This routine is called by the kernel when the user reads or
* writes our sysctl variable. The arguments are standard for
* a sysctl handler.
*/
{
int result;
/* Prevent two threads trying to change our configuration at the same
* time.
*/
lck_mtx_lock(gConfigurationLock);
/* Let sysctl_handle_string do all the heavy lifting of getting
* and setting the variable.
*/
result = sysctl_handle_string(oidp, arg1, arg2, req);
/* On the way out, if we got no error and a new value was set,
* do our magic.
*/
if ( (result == 0) && (req->newptr != 0) ) {
ConfigureKauth(gConfiguration);
}
lck_mtx_unlock(gConfigurationLock);
return result;
}
/* Declare our sysctl OID (that is, a variable that the user can
* get and set using sysctl). Once this OID is registered (which
* is done in the start routine, ClamAuth_start, below), the user
* user can get and set our configuration variable (gConfiguration)
* using the sysctl command line tool.
*
* We use OID using SYSCTL_OID rather than SYSCTL_STRING because
* we want to override the hander function that's call (we want
* SysctlHandler rather than sysctl_handle_string).
*/
SYSCTL_OID(
_kern, /* parent OID */
OID_AUTO, /* sysctl number, OID_AUTO means we're only accessible by name */
com_apple_dts_kext_ClamAuth, /* our name */
CTLTYPE_STRING | CTLFLAG_RW | CTLFLAG_KERN, /* we're a string, more or less */
gConfiguration, /* sysctl_handle_string gets/sets this string */
sizeof(gConfiguration), /* and this is its maximum length */
SysctlHandler, /* our handler */
"A", /* because that's what SYSCTL_STRING does */
"" /* just a comment */
);
/* gRegisteredOID tracks whether we've registered our OID or not. */
static boolean_t gRegisteredOID = FALSE;
#pragma mark ***** Start/Stop
/* Prototypes for our entry points */
extern kern_return_t com_apple_dts_kext_ClamAuth_start(kmod_info_t * ki, void * d);
extern kern_return_t com_apple_dts_kext_ClamAuth_stop(kmod_info_t * ki, void * d);
extern kern_return_t com_apple_dts_kext_ClamAuth_start(kmod_info_t * ki, void * d)
/* Called by the system to start up the kext. */
{
#pragma unused(ki)
#pragma unused(d)
kern_return_t err;
struct AuthEvent event;
ca_devidx = cdevsw_add(-1, &clamauth_cdevsw);
if(ca_devidx == -1) {
printf("ClamAuth: cdevsw_add() failed\n");
return KERN_FAILURE;
}
ca_devnode = devfs_make_node(makedev(ca_devidx, 0), DEVFS_CHAR, UID_ROOT, GID_WHEEL, 0660, "clamauth");
if(!ca_devnode) {
printf("ClamAuth: Can't create /dev/clamauth\n");
return ca_remove();
}
/* Allocate our global resources, needed in order to allocate memory
* and locks throughout the rest of the program.
*/
err = KERN_SUCCESS;
gMallocTag = OSMalloc_Tagalloc("com.apple.dts.kext.ClamAuth", OSMT_DEFAULT);
if (gMallocTag == NULL) {
err = KERN_FAILURE;
}
if (err == KERN_SUCCESS) {
gLockGroup = lck_grp_alloc_init("com.apple.dts.kext.ClamAuth", LCK_GRP_ATTR_NULL);
if (gLockGroup == NULL) {
err = KERN_FAILURE;
}
}
/* Allocate the lock that protects our configuration. */
if (err == KERN_SUCCESS) {
gConfigurationLock = lck_mtx_alloc_init(gLockGroup, LCK_ATTR_NULL);
if (gConfigurationLock == NULL) {
err = KERN_FAILURE;
}
}
/* Event queue lock */
if (err == KERN_SUCCESS) {
gEventQueueLock = lck_mtx_alloc_init(gLockGroup, LCK_ATTR_NULL);
if (gEventQueueLock == NULL) {
err = KERN_FAILURE;
}
}
AuthEventInitQueue(&gEventQueue);
/* Initialize event queue and add version info event */
event.action = CLAMAUTH_PROTOCOL_VERSION;
strncpy(event.path, "ClamAuth "CLAMAUTH_VERSION"", sizeof(event.path));
event.pid = 0xdeadbeef;
AuthEventEnqueue(&gEventQueue, &event);
/* Register our sysctl handler. */
if (err == KERN_SUCCESS) {
sysctl_register_oid(&sysctl__kern_com_apple_dts_kext_ClamAuth);
gRegisteredOID = TRUE;
}
/* If we failed, shut everything down. */
if (err != KERN_SUCCESS) {
printf("ClamAuth_start: Failed to initialize the driver\n");
(void) com_apple_dts_kext_ClamAuth_stop(ki, d);
} else
printf("ClamAuth_start: ClamAV kernel driver loaded\n");
return err;
}
extern kern_return_t com_apple_dts_kext_ClamAuth_stop(kmod_info_t * ki, void * d)
/* Called by the system to shut down the kext. */
{
#pragma unused(ki)
#pragma unused(d)
int ret;
/* Remove our sysctl handler. This prevents more threads entering the
* handler and trying to change the configuration. There is still a
* race condition here though. If a thread is already running in our
* sysctl handler, there's no way to guarantee that it's done before
* we destroy key resources (notably the gConfigurationLock mutex) that
* it depends on. That's because sysctl_unregister_oid makes no attempt
* to wait until all threads running inside the OID handler are done
* before it returns. I could do stuff to minimise the risk, but there's
* is no 100% way to close this race so I'm going to ignore it.
*/
if (gRegisteredOID) {
sysctl_unregister_oid(&sysctl__kern_com_apple_dts_kext_ClamAuth);
gRegisteredOID = FALSE;
}
/* remove the character device */
ret = ca_remove();
/* Shut down the scope listen, if any. Not that we lock gConfigurationLock
* because RemoveListener requires it to be locked. Further note that
* we only do this if the lock has actually been allocated. If the startup
* routine fails, we can get called with gConfigurationLock set to NULL.
*/
if (gConfigurationLock != NULL) {
lck_mtx_lock(gConfigurationLock);
}
RemoveListener();
if (gConfigurationLock != NULL) {
lck_mtx_unlock(gConfigurationLock);
}
/* Clean up the configuration lock. */
if (gConfigurationLock != NULL) {
lck_mtx_free(gConfigurationLock, gLockGroup);
gConfigurationLock = NULL;
}
/* Clean up the event queue lock. */
if (gEventQueueLock != NULL) {
lck_mtx_free(gEventQueueLock, gLockGroup);
gEventQueueLock = NULL;
}
/* Clean up our global resources. */
if (gLockGroup != NULL) {
lck_grp_free(gLockGroup);
gLockGroup = NULL;
}
if (gMallocTag != NULL) {
OSMalloc_Tagfree(gMallocTag);
gMallocTag = NULL;
}
printf("ClamAuth_stop: ClamAV kernel driver removed\n");
return ret;
}