1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
24 * Use is subject to license terms.
25 */
26
27 #include <stdarg.h>
28 #include <string.h>
29 #include <sys/malloc.h>
30 #include <sys/time.h>
31 #include <sys/dtrace.h>
32 #include <sys/dtrace_impl.h>
33 #include <sys/proc_internal.h>
34 #include <sys/vnode.h>
35 #include <kern/debug.h>
36 #include <kern/sched_prim.h>
37 #include <kern/task.h>
38 #include <machine/machine_routines.h>
39
40 #if CONFIG_CSR
41 #include <sys/codesign.h>
42 #include <sys/csr.h>
43 #endif
44
45 /*
46 * APPLE NOTE: Solaris proc_t is the struct.
47 * Darwin's proc_t is a pointer to it.
48 */
49 #define proc_t struct proc /* Steer clear of the Darwin typedef for proc_t */
50
51
52 /* Copied from an arch specific dtrace_subr.c. */
53 int (*dtrace_fasttrap_probe_ptr)(struct regs *);
54
55 /*
56 * Following DTrace hooks are taken from Solaris' dtrace_subr.c
57 * They're assigned in dtrace.c but Darwin never calls them.
58 */
59 void (*dtrace_cpu_init)(processorid_t);
60 int (*dtrace_modload)(struct kmod_info *, uint32_t);
61 int (*dtrace_modunload)(struct kmod_info *);
62 void (*dtrace_helpers_cleanup)(proc_t *);
63 void (*dtrace_helpers_fork)(proc_t *, proc_t *);
64 void (*dtrace_cpustart_init)(void);
65 void (*dtrace_cpustart_fini)(void);
66
67 void (*dtrace_debugger_init)(void);
68 void (*dtrace_debugger_fini)(void);
69
70 dtrace_vtime_state_t dtrace_vtime_active = 0;
71 dtrace_cacheid_t dtrace_predcache_id = DTRACE_CACHEIDNONE + 1;
72
73 void (*dtrace_fasttrap_fork_ptr)(proc_t *, proc_t *);
74 void (*dtrace_fasttrap_exec_ptr)(proc_t *);
75 void (*dtrace_fasttrap_exit_ptr)(proc_t *);
76
77 /*
78 * This function is called by cfork() in the event that it appears that
79 * there may be dtrace tracepoints active in the parent process's address
80 * space. This first confirms the existence of dtrace tracepoints in the
81 * parent process and calls into the fasttrap module to remove the
82 * corresponding tracepoints from the child. By knowing that there are
83 * existing tracepoints, and ensuring they can't be removed, we can rely
84 * on the fasttrap module remaining loaded.
85 */
86 void
dtrace_fasttrap_fork(proc_t * p,proc_t * cp)87 dtrace_fasttrap_fork(proc_t *p, proc_t *cp)
88 {
89 if (dtrace_fasttrap_fork_ptr) {
90 (*dtrace_fasttrap_fork_ptr)(p, cp);
91 }
92 }
93
94
95 /*
96 * DTrace wait for process execution
97 *
98 * This feature is using a list of entries, each entry containing a pointer
99 * on a process description. The description is provided by a client, and it
100 * contains the command we want to wait for along with a reserved space for
101 * the caught process id.
102 *
103 * Once an awaited process has been spawned, it will be suspended before
104 * notifying the client. Once the client has been back to userland, it's its
105 * duty to resume the task.
106 */
107
108 LCK_MTX_DECLARE_ATTR(dtrace_procwaitfor_lock, &dtrace_lck_grp, &dtrace_lck_attr);
109
110 typedef struct dtrace_proc_awaited_entry {
111 struct dtrace_procdesc *pdesc;
112 LIST_ENTRY(dtrace_proc_awaited_entry) entries;
113 } dtrace_proc_awaited_entry_t;
114
115 LIST_HEAD(listhead, dtrace_proc_awaited_entry) dtrace_proc_awaited_head
116 = LIST_HEAD_INITIALIZER(dtrace_proc_awaited_head);
117
118 void (*dtrace_proc_waitfor_exec_ptr)(proc_t*) = NULL;
119
120 static int
dtrace_proc_get_execpath(proc_t * p,char * buffer,int * maxlen)121 dtrace_proc_get_execpath(proc_t *p, char *buffer, int *maxlen)
122 {
123 int err = 0, vid = 0;
124 vnode_t tvp = NULLVP, nvp = NULLVP;
125
126 ASSERT(p);
127 ASSERT(buffer);
128 ASSERT(maxlen);
129
130 if ((tvp = p->p_textvp) == NULLVP)
131 return ESRCH;
132
133 vid = vnode_vid(tvp);
134 if ((err = vnode_getwithvid(tvp, vid)) != 0)
135 return err;
136
137 if ((err = vn_getpath_fsenter(tvp, buffer, maxlen)) != 0)
138 return err;
139 vnode_put(tvp);
140
141 if ((err = vnode_lookup(buffer, 0, &nvp, vfs_context_current())) != 0)
142 return err;
143 if (nvp != NULLVP)
144 vnode_put(nvp);
145
146 return 0;
147 }
148
149
150 static void
dtrace_proc_exec_notification(proc_t * p)151 dtrace_proc_exec_notification(proc_t *p) {
152 dtrace_proc_awaited_entry_t *entry, *tmp;
153 static char execpath[MAXPATHLEN];
154
155 ASSERT(p);
156 ASSERT(proc_getpid(p) != -1);
157 ASSERT(current_task() != proc_task(p));
158
159 lck_mtx_lock(&dtrace_procwaitfor_lock);
160
161 LIST_FOREACH_SAFE(entry, &dtrace_proc_awaited_head, entries, tmp) {
162 /* By default consider we're using p_comm. */
163 char *pname = p->p_comm;
164
165 /* Already matched with another process. */
166 if (((entry->pdesc->p_pid) != -1))
167 continue;
168
169 /* p_comm is too short, use the execpath. */
170 if (entry->pdesc->p_name_length >= MAXCOMLEN) {
171 /*
172 * Retrieve the executable path. After the call, length contains
173 * the length of the string + 1.
174 */
175 int length = sizeof(execpath);
176 if (dtrace_proc_get_execpath(p, execpath, &length) != 0)
177 continue;
178 /* Move the cursor to the position after the last / */
179 pname = &execpath[length - 1];
180 while (pname != execpath && *pname != '/')
181 pname--;
182 pname = (*pname == '/') ? pname + 1 : pname;
183 }
184
185 if (!strcmp(entry->pdesc->p_name, pname)) {
186 entry->pdesc->p_pid = proc_getpid(p);
187 task_pidsuspend(proc_task(p));
188 wakeup(entry);
189 }
190 }
191
192 lck_mtx_unlock(&dtrace_procwaitfor_lock);
193 }
194
195 int
dtrace_proc_waitfor(dtrace_procdesc_t * pdesc)196 dtrace_proc_waitfor(dtrace_procdesc_t* pdesc) {
197 dtrace_proc_awaited_entry_t entry;
198 int res;
199
200 ASSERT(pdesc);
201 ASSERT(pdesc->p_name);
202
203 /*
204 * Never trust user input, compute the length of the process name and ensure the
205 * string is null terminated.
206 */
207 pdesc->p_name_length = (int) strnlen(pdesc->p_name, sizeof(pdesc->p_name));
208 if (pdesc->p_name_length >= (int) sizeof(pdesc->p_name))
209 return -1;
210
211 lck_mtx_lock(&dtrace_procwaitfor_lock);
212
213 /* Initialize and insert the entry, then install the hook. */
214 pdesc->p_pid = -1;
215 entry.pdesc = pdesc;
216 LIST_INSERT_HEAD(&dtrace_proc_awaited_head, &entry, entries);
217 dtrace_proc_waitfor_exec_ptr = &dtrace_proc_exec_notification;
218
219 /* Sleep until the process has been executed */
220 res = msleep(&entry, &dtrace_procwaitfor_lock, PCATCH, "dtrace_proc_waitfor", NULL);
221
222 /* Remove the entry and the hook if it is not needed anymore. */
223 LIST_REMOVE(&entry, entries);
224 if (LIST_EMPTY(&dtrace_proc_awaited_head))
225 dtrace_proc_waitfor_exec_ptr = NULL;
226
227 lck_mtx_unlock(&dtrace_procwaitfor_lock);
228
229 return res;
230 }
231
232
233 typedef struct dtrace_invop_hdlr {
234 int (*dtih_func)(uintptr_t, uintptr_t *, uintptr_t);
235 struct dtrace_invop_hdlr *dtih_next;
236 } dtrace_invop_hdlr_t;
237
238 dtrace_invop_hdlr_t *dtrace_invop_hdlr;
239
240 int
241 dtrace_invop(uintptr_t, uintptr_t *, uintptr_t);
242
243 int
dtrace_invop(uintptr_t addr,uintptr_t * stack,uintptr_t eax)244 dtrace_invop(uintptr_t addr, uintptr_t *stack, uintptr_t eax)
245 {
246 dtrace_invop_hdlr_t *hdlr;
247 int rval;
248
249 for (hdlr = dtrace_invop_hdlr; hdlr != NULL; hdlr = hdlr->dtih_next) {
250 if ((rval = hdlr->dtih_func(addr, stack, eax)) != 0)
251 return (rval);
252 }
253
254 return (0);
255 }
256
257 void
dtrace_invop_add(int (* func)(uintptr_t,uintptr_t *,uintptr_t))258 dtrace_invop_add(int (*func)(uintptr_t, uintptr_t *, uintptr_t))
259 {
260 dtrace_invop_hdlr_t *hdlr;
261
262 hdlr = kmem_alloc(sizeof (dtrace_invop_hdlr_t), KM_SLEEP);
263 hdlr->dtih_func = func;
264 hdlr->dtih_next = dtrace_invop_hdlr;
265 dtrace_invop_hdlr = hdlr;
266 }
267
268 void
dtrace_invop_remove(int (* func)(uintptr_t,uintptr_t *,uintptr_t))269 dtrace_invop_remove(int (*func)(uintptr_t, uintptr_t *, uintptr_t))
270 {
271 dtrace_invop_hdlr_t *hdlr = dtrace_invop_hdlr, *prev = NULL;
272
273 for (;;) {
274 if (hdlr == NULL)
275 panic("attempt to remove non-existent invop handler");
276
277 if (hdlr->dtih_func == func)
278 break;
279
280 prev = hdlr;
281 hdlr = hdlr->dtih_next;
282 }
283
284 if (prev == NULL) {
285 ASSERT(dtrace_invop_hdlr == hdlr);
286 dtrace_invop_hdlr = hdlr->dtih_next;
287 } else {
288 ASSERT(dtrace_invop_hdlr != hdlr);
289 prev->dtih_next = hdlr->dtih_next;
290 }
291
292 kmem_free(hdlr, sizeof (dtrace_invop_hdlr_t));
293 }
294
295 void*
dtrace_ptrauth_strip(void * ptr,uint64_t key)296 dtrace_ptrauth_strip(void *ptr, uint64_t key)
297 {
298 #pragma unused(key)
299 #if __has_feature(ptrauth_calls)
300 /*
301 * The key argument to ptrauth_strip needs to be a compile-time
302 * constant
303 */
304 switch (key) {
305 case ptrauth_key_asia:
306 return ptrauth_strip(ptr, ptrauth_key_asia);
307 case ptrauth_key_asib:
308 return ptrauth_strip(ptr, ptrauth_key_asib);
309 case ptrauth_key_asda:
310 return ptrauth_strip(ptr, ptrauth_key_asda);
311 case ptrauth_key_asdb:
312 return ptrauth_strip(ptr, ptrauth_key_asdb);
313 default:
314 return ptr;
315 }
316 #else
317 return ptr;
318 #endif // __has_feature(ptrauth_calls)
319 }
320
321 int
dtrace_is_valid_ptrauth_key(uint64_t key)322 dtrace_is_valid_ptrauth_key(uint64_t key)
323 {
324 #pragma unused(key)
325 #if __has_feature(ptrauth_calls)
326 return (key == ptrauth_key_asia) || (key == ptrauth_key_asib) ||
327 (key == ptrauth_key_asda) || (key == ptrauth_key_asdb);
328 #else
329 return (1);
330 #endif /* __has_feature(ptrauth_calls) */
331 }
332
333 uint64_t
dtrace_physmem_read(uint64_t addr,size_t size)334 dtrace_physmem_read(uint64_t addr, size_t size)
335 {
336 switch (size) {
337 case 1:
338 return (uint64_t)ml_phys_read_byte_64((addr64_t)addr);
339 case 2:
340 return (uint64_t)ml_phys_read_half_64((addr64_t)addr);
341 case 4:
342 return (uint64_t)ml_phys_read_64((addr64_t)addr);
343 case 8:
344 return (uint64_t)ml_phys_read_double_64((addr64_t)addr);
345 }
346 DTRACE_CPUFLAG_SET(CPU_DTRACE_ILLOP);
347
348 return (0);
349 }
350
351 void
dtrace_physmem_write(uint64_t addr,uint64_t data,size_t size)352 dtrace_physmem_write(uint64_t addr, uint64_t data, size_t size)
353 {
354 switch (size) {
355 case 1:
356 ml_phys_write_byte_64((addr64_t)addr, (unsigned int)data);
357 break;
358 case 2:
359 ml_phys_write_half_64((addr64_t)addr, (unsigned int)data);
360 break;
361 case 4:
362 ml_phys_write_64((addr64_t)addr, (unsigned int)data);
363 break;
364 case 8:
365 ml_phys_write_double_64((addr64_t)addr, (unsigned long long)data);
366 break;
367 default:
368 DTRACE_CPUFLAG_SET(CPU_DTRACE_ILLOP);
369 }
370 }
371
372 static minor_t next_minor = 0;
373 static dtrace_state_t* dtrace_clients[DTRACE_NCLIENTS] = {NULL};
374
375
376 minor_t
dtrace_state_reserve(void)377 dtrace_state_reserve(void)
378 {
379 for (int i = 0; i < DTRACE_NCLIENTS; i++) {
380 minor_t minor = os_atomic_inc_orig(&next_minor, relaxed) % DTRACE_NCLIENTS;
381 if (dtrace_clients[minor] == NULL)
382 return minor;
383 }
384 return 0;
385 }
386
387 dtrace_state_t*
dtrace_state_get(minor_t minor)388 dtrace_state_get(minor_t minor)
389 {
390 ASSERT(minor < DTRACE_NCLIENTS);
391 return dtrace_clients[minor];
392 }
393
394 dtrace_state_t*
dtrace_state_allocate(minor_t minor)395 dtrace_state_allocate(minor_t minor)
396 {
397 dtrace_state_t *state = kalloc_type(dtrace_state_t, Z_ZERO | Z_WAITOK);
398 if (dtrace_casptr(&dtrace_clients[minor], NULL, state) != NULL) {
399 // We have been raced by another client for this number, abort
400 kfree_type(dtrace_state_t, state);
401 return NULL;
402 }
403 return state;
404 }
405
406 void
dtrace_state_free(minor_t minor)407 dtrace_state_free(minor_t minor)
408 {
409 dtrace_state_t *state = dtrace_clients[minor];
410 dtrace_clients[minor] = NULL;
411 kfree_type(dtrace_state_t, state);
412 }
413
414 /*
415 * Check if DTrace has been restricted by the current security policy.
416 */
417 boolean_t
dtrace_is_restricted(void)418 dtrace_is_restricted(void)
419 {
420 #if CONFIG_CSR
421 if (csr_check(CSR_ALLOW_UNRESTRICTED_DTRACE) != 0)
422 return TRUE;
423 #endif
424
425 return FALSE;
426 }
427
428 boolean_t
dtrace_are_restrictions_relaxed(void)429 dtrace_are_restrictions_relaxed(void)
430 {
431 #if CONFIG_CSR
432 if (csr_check(CSR_ALLOW_APPLE_INTERNAL) == 0)
433 return TRUE;
434 #endif
435
436 return FALSE;
437 }
438
439 boolean_t
dtrace_fbt_probes_restricted(void)440 dtrace_fbt_probes_restricted(void)
441 {
442 if (!ml_unsafe_kernel_text())
443 return TRUE;
444 #if CONFIG_CSR
445 if (dtrace_is_restricted() && !dtrace_are_restrictions_relaxed())
446 return TRUE;
447 #endif
448
449 return FALSE;
450 }
451
452 boolean_t
dtrace_sdt_probes_restricted(void)453 dtrace_sdt_probes_restricted(void)
454 {
455
456 if (!ml_unsafe_kernel_text())
457 return TRUE;
458 return FALSE;
459 }
460
461 /*
462 * Check if the process can be attached.
463 */
464 boolean_t
dtrace_can_attach_to_proc(proc_t * proc)465 dtrace_can_attach_to_proc(proc_t *proc)
466 {
467 #pragma unused(proc)
468 ASSERT(proc != NULL);
469
470 #if CONFIG_CSR
471 if (cs_restricted(proc))
472 return FALSE;
473 #endif
474
475 return TRUE;
476 }
477
478