1911106dfSjm /*
2911106dfSjm * CDDL HEADER START
3911106dfSjm *
4911106dfSjm * The contents of this file are subject to the terms of the
5911106dfSjm * Common Development and Distribution License (the "License").
6911106dfSjm * You may not use this file except in compliance with the License.
7911106dfSjm *
8911106dfSjm * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9911106dfSjm * or http://www.opensolaris.org/os/licensing.
10911106dfSjm * See the License for the specific language governing permissions
11911106dfSjm * and limitations under the License.
12911106dfSjm *
13911106dfSjm * When distributing Covered Code, include this CDDL HEADER in each
14911106dfSjm * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15911106dfSjm * If applicable, add the following below this CDDL HEADER, with the
16911106dfSjm * fields enclosed by brackets "[]" replaced with your own identifying
17911106dfSjm * information: Portions Copyright [yyyy] [name of copyright owner]
18911106dfSjm *
19911106dfSjm * CDDL HEADER END
20911106dfSjm */
21911106dfSjm /*
2253c11029Sjm * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
23911106dfSjm * Use is subject to license terms.
24911106dfSjm */
25911106dfSjm
26911106dfSjm /*
27911106dfSjm * Implementation of the "scan file" interface
28911106dfSjm */
29911106dfSjm
30911106dfSjm #include <stdio.h>
31911106dfSjm #include <stdlib.h>
32911106dfSjm #include <unistd.h>
33911106dfSjm #include <string.h>
34911106dfSjm #include <errno.h>
35911106dfSjm #include <syslog.h>
36911106dfSjm #include <sys/types.h>
37911106dfSjm #include <fcntl.h>
38911106dfSjm #include <bsm/adt.h>
39911106dfSjm #include <bsm/adt_event.h>
40bfc848c6Sjm #include <pthread.h>
41911106dfSjm
42911106dfSjm #include "vs_incl.h"
43911106dfSjm
44bfc848c6Sjm /*
45bfc848c6Sjm * vs_svc_nodes - table of scan requests and their thread id and
46bfc848c6Sjm * scan engine context.
47bfc848c6Sjm * The table is sized by the value passed to vs_svc_init. This
48bfc848c6Sjm * value is obtained from the kernel and represents the maximum
49bfc848c6Sjm * request idx that the kernel will request vscand to process.
50bfc848c6Sjm * The table is indexed by the vsr_idx value passed in
51bfc848c6Sjm * the scan request - always non-zero. This value is also the index
52bfc848c6Sjm * into the kernel scan request table and identifies the instance of
53bfc848c6Sjm * the driver being used to access file data for the scan. Although
54bfc848c6Sjm * this is of no consequence here, it is useful information for debug.
55bfc848c6Sjm *
56bfc848c6Sjm * When a scan request is received a response is sent indicating
57bfc848c6Sjm * one of the following:
58bfc848c6Sjm * VS_STATUS_ERROR - an error occurred
59bfc848c6Sjm * VS_STATUS_NO_SCAN - no scan is required
60bfc848c6Sjm * VS_STATUS_SCANNING - request has been queued for async processing
61bfc848c6Sjm *
62bfc848c6Sjm * If the scan is required (VS_STATUS_SCANNING) a thread is created
63bfc848c6Sjm * to perform the scan. It's tid is saved in vs_svc_nodes.
64bfc848c6Sjm *
65bfc848c6Sjm * In the case of SHUTDOWN, vs_terminate requests that all scan
66bfc848c6Sjm * engine connections be closed, thus termintaing any in-progress
67bfc848c6Sjm * scans, then awaits completion of all scanning threads as identified
68bfc848c6Sjm * in vs_svc_nodes.
69bfc848c6Sjm */
70bfc848c6Sjm
71bfc848c6Sjm typedef struct vs_svc_node {
72bfc848c6Sjm pthread_t vsn_tid;
73bfc848c6Sjm vs_scan_req_t vsn_req;
74bfc848c6Sjm vs_eng_ctx_t vsn_eng;
75bfc848c6Sjm } vs_svc_node_t;
76bfc848c6Sjm
77bfc848c6Sjm static vs_svc_node_t *vs_svc_nodes;
78bfc848c6Sjm static uint32_t vs_svc_max_node; /* max idx into vs_svc_nodes */
79bfc848c6Sjm static pthread_mutex_t vs_svc_mutex = PTHREAD_MUTEX_INITIALIZER;
80bfc848c6Sjm
81bfc848c6Sjm
82911106dfSjm /* local functions */
83bfc848c6Sjm static void *vs_svc_async_scan(void *);
84bfc848c6Sjm static int vs_svc_scan_file(vs_svc_node_t *, vs_scanstamp_t *);
85911106dfSjm static void vs_svc_vlog(char *, vs_result_t *);
86911106dfSjm static void vs_svc_audit(char *, vs_result_t *);
87911106dfSjm
88bfc848c6Sjm
89911106dfSjm /*
90911106dfSjm * vs_svc_init, vs_svc_fini
91911106dfSjm *
92911106dfSjm * Invoked on daemon load and unload
93911106dfSjm */
94bfc848c6Sjm int
vs_svc_init(uint32_t max_req)95bfc848c6Sjm vs_svc_init(uint32_t max_req)
96911106dfSjm {
97bfc848c6Sjm vs_svc_max_node = max_req;
98bfc848c6Sjm vs_svc_nodes = (vs_svc_node_t *)
99bfc848c6Sjm calloc(max_req + 1, sizeof (vs_svc_node_t));
100bfc848c6Sjm
101bfc848c6Sjm return (vs_svc_nodes == NULL ? -1 : 0);
102911106dfSjm }
103911106dfSjm
104911106dfSjm void
vs_svc_fini()105911106dfSjm vs_svc_fini()
106911106dfSjm {
107bfc848c6Sjm if (vs_svc_nodes)
108bfc848c6Sjm free(vs_svc_nodes);
109bfc848c6Sjm }
110bfc848c6Sjm
111bfc848c6Sjm
112bfc848c6Sjm /*
113bfc848c6Sjm * vs_svc_terminate
114bfc848c6Sjm *
115bfc848c6Sjm * Close all scan engine connections to terminate in-progress scan
116bfc848c6Sjm * requests, and wait for all threads in vs_svc_nodes to complete
117bfc848c6Sjm */
118bfc848c6Sjm void
vs_svc_terminate()119bfc848c6Sjm vs_svc_terminate()
120bfc848c6Sjm {
121bfc848c6Sjm int i;
122bfc848c6Sjm pthread_t tid;
123bfc848c6Sjm
124bfc848c6Sjm /* close connections to abort requests */
125bfc848c6Sjm vs_eng_close_connections();
126bfc848c6Sjm
127bfc848c6Sjm /* wait for threads */
128bfc848c6Sjm for (i = 1; i <= vs_svc_max_node; i++) {
129bfc848c6Sjm
130bfc848c6Sjm (void) pthread_mutex_lock(&vs_svc_mutex);
131bfc848c6Sjm tid = vs_svc_nodes[i].vsn_tid;
132bfc848c6Sjm (void) pthread_mutex_unlock(&vs_svc_mutex);
133bfc848c6Sjm
134bfc848c6Sjm if (tid != 0)
135bfc848c6Sjm (void) pthread_join(tid, NULL);
136bfc848c6Sjm }
137bfc848c6Sjm }
138bfc848c6Sjm
139bfc848c6Sjm
140bfc848c6Sjm /*
141bfc848c6Sjm * vs_svc_queue_scan_req
142bfc848c6Sjm *
143bfc848c6Sjm * Determine if the file needs to be scanned - either it has
144bfc848c6Sjm * been modified or its scanstamp is not current.
145bfc848c6Sjm * Initiate a thread to process the request, saving the tid
146bfc848c6Sjm * in vs_svc_nodes[idx].vsn_tid, where idx is the vsr_idx passed in
147bfc848c6Sjm * the scan request.
148bfc848c6Sjm *
149bfc848c6Sjm * Returns: VS_STATUS_ERROR - error
150bfc848c6Sjm * VS_STATUS_NO_SCAN - no scan required
151bfc848c6Sjm * VS_STATUS_SCANNING - async scan initiated
152bfc848c6Sjm */
153bfc848c6Sjm int
vs_svc_queue_scan_req(vs_scan_req_t * req)154bfc848c6Sjm vs_svc_queue_scan_req(vs_scan_req_t *req)
155bfc848c6Sjm {
156bfc848c6Sjm pthread_t tid;
157bfc848c6Sjm vs_svc_node_t *node;
158bfc848c6Sjm
159bfc848c6Sjm /* No scan if file quarantined */
160bfc848c6Sjm if (req->vsr_quarantined)
161bfc848c6Sjm return (VS_STATUS_NO_SCAN);
162bfc848c6Sjm
163bfc848c6Sjm /* No scan if file not modified AND scanstamp is current */
164bfc848c6Sjm if ((req->vsr_modified == 0) &&
165bfc848c6Sjm vs_eng_scanstamp_current(req->vsr_scanstamp)) {
166bfc848c6Sjm return (VS_STATUS_NO_SCAN);
167bfc848c6Sjm }
168bfc848c6Sjm
169bfc848c6Sjm /* scan required */
170bfc848c6Sjm node = &(vs_svc_nodes[req->vsr_idx]);
171bfc848c6Sjm
172bfc848c6Sjm (void) pthread_mutex_lock(&vs_svc_mutex);
173bfc848c6Sjm if ((node->vsn_tid != 0) || (req->vsr_idx > vs_svc_max_node)) {
174bfc848c6Sjm (void) pthread_mutex_unlock(&vs_svc_mutex);
175bfc848c6Sjm return (VS_STATUS_ERROR);
176bfc848c6Sjm }
177bfc848c6Sjm
178bfc848c6Sjm node->vsn_req = *req;
179bfc848c6Sjm
180bfc848c6Sjm if (pthread_create(&tid, NULL, vs_svc_async_scan, (void *)node) != 0) {
181bfc848c6Sjm (void) pthread_mutex_unlock(&vs_svc_mutex);
182bfc848c6Sjm return (VS_STATUS_ERROR);
183bfc848c6Sjm }
184bfc848c6Sjm
185bfc848c6Sjm node->vsn_tid = tid;
186bfc848c6Sjm (void) pthread_mutex_unlock(&vs_svc_mutex);
187bfc848c6Sjm
188bfc848c6Sjm return (VS_STATUS_SCANNING);
189bfc848c6Sjm }
190bfc848c6Sjm
191bfc848c6Sjm
192bfc848c6Sjm /*
193bfc848c6Sjm * vs_svc_async_scan
194bfc848c6Sjm *
195bfc848c6Sjm * Initialize response structure, invoke vs_svc_scan_file to
196bfc848c6Sjm * perform the scan, then send the result to the kernel.
197bfc848c6Sjm */
198bfc848c6Sjm static void *
vs_svc_async_scan(void * arg)199bfc848c6Sjm vs_svc_async_scan(void *arg)
200bfc848c6Sjm {
201bfc848c6Sjm vs_svc_node_t *node = (vs_svc_node_t *)arg;
202bfc848c6Sjm vs_scan_req_t *scan_req = &(node->vsn_req);
203bfc848c6Sjm vs_scan_rsp_t scan_rsp;
204bfc848c6Sjm
205bfc848c6Sjm scan_rsp.vsr_idx = scan_req->vsr_idx;
206bfc848c6Sjm scan_rsp.vsr_seqnum = scan_req->vsr_seqnum;
207bfc848c6Sjm scan_rsp.vsr_result = vs_svc_scan_file(node, &scan_rsp.vsr_scanstamp);
208bfc848c6Sjm
209bfc848c6Sjm /* clear node and send async response to kernel */
210bfc848c6Sjm (void) pthread_mutex_lock(&vs_svc_mutex);
211bfc848c6Sjm (void) memset(node, 0, sizeof (vs_svc_node_t));
212bfc848c6Sjm (void) pthread_mutex_unlock(&vs_svc_mutex);
213bfc848c6Sjm
214bfc848c6Sjm (void) vscand_kernel_result(&scan_rsp);
215bfc848c6Sjm
216bfc848c6Sjm return (NULL);
217911106dfSjm }
218911106dfSjm
219911106dfSjm
220911106dfSjm /*
221911106dfSjm * vs_svc_scan_file
222911106dfSjm *
223911106dfSjm * vs_svc_scan_file is responsible for:
224911106dfSjm * - obtaining & releasing a scan engine connection
225911106dfSjm * - invoking the scan engine interface code to do the scan
226911106dfSjm * - retrying a failed scan (up to VS_MAX_RETRY times)
227911106dfSjm * - updating scan statistics
228911106dfSjm * - logging virus information
229911106dfSjm *
23053c11029Sjm *
231911106dfSjm * Returns:
232bfc848c6Sjm * VS_STATUS_NO_SCAN - scan not reqd; daemon shutting down
23353c11029Sjm * VS_STATUS_CLEAN - scan success. File clean.
23453c11029Sjm * new scanstamp returned in scanstamp param.
23553c11029Sjm * VS_STATUS_INFECTED - scan success. File infected.
23653c11029Sjm * VS_STATUS_ERROR - scan failure either in vscand or scan engine.
237911106dfSjm */
238bfc848c6Sjm static int
vs_svc_scan_file(vs_svc_node_t * node,vs_scanstamp_t * scanstamp)239bfc848c6Sjm vs_svc_scan_file(vs_svc_node_t *node, vs_scanstamp_t *scanstamp)
240911106dfSjm {
241bfc848c6Sjm char devname[MAXPATHLEN];
242bfc848c6Sjm int flags = 0;
24353c11029Sjm int retries;
244911106dfSjm vs_result_t result;
245bfc848c6Sjm vs_scan_req_t *req = &(node->vsn_req);
246bfc848c6Sjm vs_eng_ctx_t *eng = &(node->vsn_eng);
247911106dfSjm
248bfc848c6Sjm (void) snprintf(devname, MAXPATHLEN, "%s%d", VS_DRV_PATH, req->vsr_idx);
249911106dfSjm
250bfc848c6Sjm /* initialize response scanstamp to current scanstamp value */
251bfc848c6Sjm (void) strlcpy(*scanstamp, req->vsr_scanstamp, sizeof (vs_scanstamp_t));
252911106dfSjm
253911106dfSjm (void) memset(&result, 0, sizeof (vs_result_t));
254911106dfSjm result.vsr_rc = VS_RESULT_UNDEFINED;
255911106dfSjm
256911106dfSjm for (retries = 0; retries <= VS_MAX_RETRY; retries++) {
257bfc848c6Sjm /* get engine connection */
258bfc848c6Sjm if (vs_eng_get(eng, (retries != 0)) != 0) {
25953c11029Sjm result.vsr_rc = VS_RESULT_ERROR;
260911106dfSjm continue;
261911106dfSjm }
262911106dfSjm
263bfc848c6Sjm /* shutdown could occur while waiting for engine connection */
264bfc848c6Sjm if (vscand_get_state() == VS_STATE_SHUTDOWN) {
265bfc848c6Sjm vs_eng_release(eng);
266bfc848c6Sjm return (VS_STATUS_NO_SCAN);
267911106dfSjm }
268911106dfSjm
269bfc848c6Sjm /* scan file */
270bfc848c6Sjm (void) vs_icap_scan_file(eng, devname, req->vsr_path,
271bfc848c6Sjm req->vsr_size, flags, &result);
272bfc848c6Sjm
273911106dfSjm /* if no error, clear error state on engine and break */
27453c11029Sjm if ((result.vsr_rc != VS_RESULT_SE_ERROR) &&
27553c11029Sjm (result.vsr_rc != VS_RESULT_ERROR)) {
276bfc848c6Sjm vs_eng_set_error(eng, 0);
277bfc848c6Sjm vs_eng_release(eng);
278911106dfSjm break;
279911106dfSjm }
280911106dfSjm
28153c11029Sjm /* treat error on shutdown as scan not required */
282911106dfSjm if (vscand_get_state() == VS_STATE_SHUTDOWN) {
283bfc848c6Sjm vs_eng_release(eng);
28453c11029Sjm return (VS_STATUS_NO_SCAN);
285911106dfSjm }
286911106dfSjm
287911106dfSjm /* set engine's error state and update engine stats */
288bfc848c6Sjm if (result.vsr_rc == VS_RESULT_SE_ERROR)
289bfc848c6Sjm vs_eng_set_error(eng, 1);
290bfc848c6Sjm
291bfc848c6Sjm vs_eng_release(eng);
292911106dfSjm }
293911106dfSjm
29453c11029Sjm vs_stats_set(result.vsr_rc);
295911106dfSjm
29653c11029Sjm /*
29753c11029Sjm * VS_RESULT_CLEANED - file infected, cleaned data available
29853c11029Sjm * VS_RESULT_FORBIDDEN - file infected, no cleaned data
29953c11029Sjm * Log virus, write audit record and return INFECTED status
30053c11029Sjm */
301911106dfSjm if (result.vsr_rc == VS_RESULT_CLEANED ||
302911106dfSjm result.vsr_rc == VS_RESULT_FORBIDDEN) {
303bfc848c6Sjm vs_svc_vlog(req->vsr_path, &result);
304bfc848c6Sjm vs_svc_audit(req->vsr_path, &result);
30553c11029Sjm return (VS_STATUS_INFECTED);
306911106dfSjm }
307911106dfSjm
30853c11029Sjm /* VS_RESULT_CLEAN - Set the scanstamp and return CLEAN status */
30953c11029Sjm if (result.vsr_rc == VS_RESULT_CLEAN) {
31053c11029Sjm (void) strlcpy(*scanstamp, result.vsr_scanstamp,
311911106dfSjm sizeof (vs_scanstamp_t));
31253c11029Sjm return (VS_STATUS_CLEAN);
313911106dfSjm }
314911106dfSjm
31553c11029Sjm return (VS_STATUS_ERROR);
316911106dfSjm }
317911106dfSjm
318911106dfSjm
319911106dfSjm /*
320911106dfSjm * vs_svc_vlog
321911106dfSjm *
322bfc848c6Sjm * log details of infections detected in syslig
323bfc848c6Sjm * If virus log is configured log details there too
324911106dfSjm */
325911106dfSjm static void
vs_svc_vlog(char * filepath,vs_result_t * result)326911106dfSjm vs_svc_vlog(char *filepath, vs_result_t *result)
327911106dfSjm {
328911106dfSjm FILE *fp = NULL;
329911106dfSjm time_t sec;
330911106dfSjm struct tm *timestamp;
331911106dfSjm char timebuf[18]; /* MM/DD/YY hh:mm:ss */
332911106dfSjm int i;
333911106dfSjm char *log;
334911106dfSjm
335bfc848c6Sjm /* syslog */
336bfc848c6Sjm if (result->vsr_nviolations == 0) {
337*c8dbf746Sjm syslog(LOG_NOTICE, "quarantine %s\n", filepath);
338bfc848c6Sjm } else {
339bfc848c6Sjm for (i = 0; i < result->vsr_nviolations; i++) {
340*c8dbf746Sjm syslog(LOG_NOTICE, "quarantine %s %d - %s\n",
341bfc848c6Sjm filepath,
342bfc848c6Sjm result->vsr_vrec[i].vr_id,
343bfc848c6Sjm result->vsr_vrec[i].vr_desc);
344bfc848c6Sjm }
345bfc848c6Sjm }
346911106dfSjm
347bfc848c6Sjm /* log file */
348bfc848c6Sjm if (((log = vscand_viruslog()) == NULL) ||
349bfc848c6Sjm ((fp = fopen(log, "a")) == NULL)) {
350bfc848c6Sjm return;
351911106dfSjm }
352911106dfSjm
353bfc848c6Sjm (void) time(&sec);
354bfc848c6Sjm timestamp = localtime(&sec);
355bfc848c6Sjm (void) strftime(timebuf, sizeof (timebuf), "%D %T", timestamp);
356bfc848c6Sjm
357911106dfSjm if (result->vsr_nviolations == 0) {
358bfc848c6Sjm (void) fprintf(fp, "%s quarantine %d[%s]\n",
359bfc848c6Sjm timebuf, strlen(filepath), filepath);
360911106dfSjm } else {
361911106dfSjm for (i = 0; i < result->vsr_nviolations; i++) {
362bfc848c6Sjm (void) fprintf(fp, "%s quarantine %d[%s] %d - %d[%s]\n",
363bfc848c6Sjm timebuf, strlen(filepath), filepath,
364bfc848c6Sjm result->vsr_vrec[i].vr_id,
365bfc848c6Sjm strlen(result->vsr_vrec[i].vr_desc),
366bfc848c6Sjm result->vsr_vrec[i].vr_desc);
367911106dfSjm }
368911106dfSjm }
369911106dfSjm
370bfc848c6Sjm (void) fclose(fp);
371911106dfSjm }
372911106dfSjm
373911106dfSjm
374911106dfSjm /*
375911106dfSjm * vs_svc_audit
376911106dfSjm *
377911106dfSjm * Generate AUE_vscan_quarantine audit record containing name
378911106dfSjm * of infected file, and violation details if available.
379911106dfSjm */
380911106dfSjm static void
vs_svc_audit(char * filepath,vs_result_t * result)381911106dfSjm vs_svc_audit(char *filepath, vs_result_t *result)
382911106dfSjm {
383911106dfSjm int i;
384911106dfSjm char *violations[VS_MAX_VIOLATIONS];
385911106dfSjm char data[VS_MAX_VIOLATIONS][VS_DESCRIPTION_MAX];
386911106dfSjm adt_session_data_t *ah;
387911106dfSjm adt_termid_t *p_tid;
388911106dfSjm adt_event_data_t *event;
389911106dfSjm
390911106dfSjm if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA)) {
391911106dfSjm syslog(LOG_AUTH | LOG_ALERT, "adt_start_session: %m");
392911106dfSjm return;
393911106dfSjm }
394911106dfSjm
395911106dfSjm if (adt_load_ttyname("/dev/console", &p_tid) != 0) {
396911106dfSjm syslog(LOG_AUTH | LOG_ALERT,
397911106dfSjm "adt_load_ttyname(/dev/console): %m");
398911106dfSjm return;
399911106dfSjm }
400911106dfSjm
401911106dfSjm if (adt_set_user(ah, ADT_NO_ATTRIB, ADT_NO_ATTRIB, ADT_NO_ATTRIB,
402911106dfSjm ADT_NO_ATTRIB, p_tid, ADT_NEW) != 0) {
403911106dfSjm syslog(LOG_AUTH | LOG_ALERT, "adt_set_user(ADT_NO_ATTRIB): %m");
404911106dfSjm (void) adt_end_session(ah);
405911106dfSjm return;
406911106dfSjm }
407911106dfSjm
408911106dfSjm if ((event = adt_alloc_event(ah, ADT_vscan_quarantine)) == NULL) {
409911106dfSjm syslog(LOG_AUTH | LOG_ALERT,
410911106dfSjm "adt_alloc_event(ADT_vscan_quarantine)): %m");
411911106dfSjm (void) adt_end_session(ah);
412911106dfSjm return;
413911106dfSjm }
414911106dfSjm
415911106dfSjm /* populate vscan audit event */
416911106dfSjm event->adt_vscan_quarantine.file = filepath;
417911106dfSjm for (i = 0; i < result->vsr_nviolations; i++) {
418911106dfSjm (void) snprintf(data[i], VS_DESCRIPTION_MAX, "%d - %s",
419911106dfSjm result->vsr_vrec[i].vr_id, result->vsr_vrec[i].vr_desc);
420911106dfSjm violations[i] = data[i];
421911106dfSjm }
422911106dfSjm
423911106dfSjm event->adt_vscan_quarantine.violations = (char **)violations;
424911106dfSjm event->adt_vscan_quarantine.nviolations = result->vsr_nviolations;
425911106dfSjm
426911106dfSjm if (adt_put_event(event, ADT_SUCCESS, ADT_SUCCESS))
427911106dfSjm syslog(LOG_AUTH | LOG_ALERT, "adt_put_event: %m");
428911106dfSjm
429911106dfSjm adt_free_event(event);
430911106dfSjm (void) adt_end_session(ah);
431911106dfSjm }
432