]>
Commit | Line | Data |
---|---|---|
b0d623f7 A |
1 | /*- |
2 | * Copyright (c) 2004-2009 Apple Inc. | |
3 | * All rights reserved. | |
4 | * | |
5 | * Redistribution and use in source and binary forms, with or without | |
6 | * modification, are permitted provided that the following conditions | |
7 | * are met: | |
8 | * 1. Redistributions of source code must retain the above copyright | |
9 | * notice, this list of conditions and the following disclaimer. | |
10 | * 2. Redistributions in binary form must reproduce the above copyright | |
11 | * notice, this list of conditions and the following disclaimer in the | |
12 | * documentation and/or other materials provided with the distribution. | |
13 | * 3. Neither the name of Apple Inc. ("Apple") nor the names of | |
14 | * its contributors may be used to endorse or promote products derived | |
15 | * from this software without specific prior written permission. | |
16 | * | |
17 | * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND | |
18 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
19 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
20 | * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR | |
21 | * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
22 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
23 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
24 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
25 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING | |
26 | * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | |
27 | * POSSIBILITY OF SUCH DAMAGE. | |
28 | * | |
29 | */ | |
30 | /* | |
31 | * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce | |
32 | * support for mandatory and extensible security protections. This notice | |
33 | * is included in support of clause 2.2 (b) of the Apple Public License, | |
34 | * Version 2.0. | |
35 | */ | |
36 | ||
37 | /* | |
38 | * This header includes function prototypes and type definitions that are | |
39 | * necessary for the kernel as a whole to interact with the audit subsystem. | |
40 | */ | |
41 | ||
42 | #ifndef _SECURITY_AUDIT_AUDIT_H | |
43 | #define _SECURITY_AUDIT_AUDIT_H | |
44 | ||
45 | #if defined(_KERNEL) || defined(KERNEL) | |
46 | ||
47 | #if CONFIG_MACF | |
48 | #include <sys/queue.h> | |
49 | #include <security/mac_framework.h> | |
50 | #endif | |
51 | ||
52 | #include <bsm/audit.h> | |
53 | ||
54 | #include <sys/sysctl.h> | |
55 | #include <sys/user.h> | |
56 | #include <sys/ipc.h> | |
57 | ||
58 | /* | |
59 | * Audit subsystem condition flags. The audit_enabled flag is set and | |
60 | * removed automatically as a result of configuring log files, and can be | |
61 | * observed but should not be directly manipulated. The audit suspension | |
62 | * flag permits audit to be temporarily disabled without reconfiguring the | |
63 | * audit target. The audit syscalls flag is set at the first hint that kernel | |
64 | * events (system and mach calls) need to be audited. It is used for | |
65 | * performance so an event class map table lookup doesn't have be done for | |
66 | * every system call if only user events are being audited. | |
67 | */ | |
68 | extern int audit_enabled; | |
69 | extern int audit_suspended; | |
70 | extern int audit_syscalls; | |
71 | ||
72 | /* | |
73 | * Define the masks for the audited arguments. | |
74 | * | |
75 | * XXXRW: These need to remain in audit.h for now because our vnode and name | |
76 | * lookup audit calls rely on passing in flags to indicate which name or | |
77 | * vnode is being logged. These should move to audit_private.h when that is | |
78 | * fixed. | |
79 | */ | |
80 | #define ARG_EUID 0x0000000000000001ULL | |
81 | #define ARG_RUID 0x0000000000000002ULL | |
82 | #define ARG_SUID 0x0000000000000004ULL | |
83 | #define ARG_EGID 0x0000000000000008ULL | |
84 | #define ARG_RGID 0x0000000000000010ULL | |
85 | #define ARG_SGID 0x0000000000000020ULL | |
86 | #define ARG_PID 0x0000000000000040ULL | |
87 | #define ARG_UID 0x0000000000000080ULL | |
88 | #define ARG_AUID 0x0000000000000100ULL | |
89 | #define ARG_GID 0x0000000000000200ULL | |
90 | #define ARG_FD 0x0000000000000400ULL | |
91 | #define ARG_POSIX_IPC_PERM 0x0000000000000800ULL | |
92 | #define ARG_FFLAGS 0x0000000000001000ULL | |
93 | #define ARG_MODE 0x0000000000002000ULL | |
94 | #define ARG_VALUE32 0x0000000000004000ULL | |
95 | #define ARG_ADDR32 0x0000000000008000ULL | |
96 | #define ARG_ADDR ARG_ADDR32 | |
97 | #define ARG_LEN 0x0000000000010000ULL | |
98 | #define ARG_MASK 0x0000000000020000ULL | |
99 | #define ARG_SIGNUM 0x0000000000040000ULL | |
100 | #define ARG_LOGIN 0x0000000000080000ULL | |
101 | #define ARG_SADDRINET 0x0000000000100000ULL | |
102 | #define ARG_SADDRINET6 0x0000000000200000ULL | |
103 | #define ARG_SADDRUNIX 0x0000000000400000ULL | |
104 | #define ARG_TERMID_ADDR ARG_SADDRUNIX | |
105 | #define ARG_KPATH1 0x0000000000800000ULL /* darwin-only */ | |
106 | #define ARG_KPATH2 0x0000000001000000ULL /* darwin-only */ | |
107 | #define ARG_UPATH1 0x0000000002000000ULL | |
108 | #define ARG_UPATH2 0x0000000004000000ULL | |
109 | #define ARG_TEXT 0x0000000008000000ULL | |
110 | #define ARG_VNODE1 0x0000000010000000ULL | |
111 | #define ARG_VNODE2 0x0000000020000000ULL | |
112 | #define ARG_SVIPC_CMD 0x0000000040000000ULL | |
113 | #define ARG_SVIPC_PERM 0x0000000080000000ULL | |
114 | #define ARG_SVIPC_ID 0x0000000100000000ULL | |
115 | #define ARG_SVIPC_ADDR 0x0000000200000000ULL | |
116 | #define ARG_GROUPSET 0x0000000400000000ULL | |
117 | #define ARG_CMD 0x0000000800000000ULL | |
118 | #define ARG_SOCKINFO 0x0000001000000000ULL | |
119 | #define ARG_ASID 0x0000002000000000ULL | |
120 | #define ARG_TERMID 0x0000004000000000ULL | |
121 | #define ARG_AUDITON 0x0000008000000000ULL | |
122 | #define ARG_VALUE64 0x0000010000000000ULL /* darwin-only */ | |
123 | #define ARG_AMASK 0x0000020000000000ULL | |
124 | #define ARG_CTLNAME 0x0000040000000000ULL | |
125 | #define ARG_PROCESS 0x0000080000000000ULL | |
126 | #define ARG_MACHPORT1 0x0000100000000000ULL | |
127 | #define ARG_MACHPORT2 0x0000200000000000ULL | |
128 | #define ARG_MAC_STRING 0x0000400000000000ULL | |
129 | #define ARG_EXIT 0x0000800000000000ULL | |
130 | #define ARG_IOVECSTR 0x0001000000000000ULL | |
131 | #define ARG_ARGV 0x0002000000000000ULL | |
132 | #define ARG_ENVV 0x0004000000000000ULL | |
133 | #define ARG_OPAQUE 0x0008000000000000ULL /* darwin-only */ | |
134 | #define ARG_DATA 0x0010000000000000ULL /* darwin-only */ | |
135 | #define ARG_ADDR64 0x0020000000000000ULL /* darwin-only */ | |
136 | #define ARG_NONE 0x0000000000000000ULL | |
137 | #define ARG_ALL 0xFFFFFFFFFFFFFFFFULL | |
138 | ||
139 | #if CONFIG_MACF | |
140 | ||
141 | #define MAC_AUDIT_LABEL_LEN 1024 | |
142 | #define MAC_AUDIT_DATA_TYPE 0 | |
143 | #define MAC_AUDIT_TEXT_TYPE 1 | |
144 | ||
145 | struct mac_audit_record { | |
146 | int type; /* one of the types defined above */ | |
147 | int length; /* byte length of the data field */ | |
148 | u_char *data; /* the payload */ | |
149 | LIST_ENTRY(mac_audit_record) records; | |
150 | }; | |
151 | ||
152 | #endif | |
153 | ||
154 | struct proc; | |
155 | struct vnode; | |
156 | struct componentname; | |
157 | ||
158 | int kau_will_audit(void); | |
159 | void audit_init(void); | |
160 | void audit_shutdown(void); | |
161 | void audit_syscall_enter(unsigned int code, | |
162 | struct proc *proc, struct uthread *uthread); | |
163 | #if CONFIG_MACF | |
164 | /* | |
165 | * The parameter list of audit_syscall_exit() was modified to also take the | |
166 | * Darwin syscall number, which is required by mac_audit_check_postselect(). | |
167 | */ | |
168 | void audit_syscall_exit(unsigned int code, int error, | |
169 | struct proc *proc, struct uthread *uthread); | |
170 | #else | |
171 | void audit_syscall_exit(int error, struct proc *proc, | |
172 | struct uthread *uthread); | |
173 | #endif | |
174 | void audit_mach_syscall_enter(unsigned short audit_event); | |
175 | void audit_mach_syscall_exit(int retval, struct uthread *uthread); | |
176 | ||
6d2010ae | 177 | extern struct auditinfo_addr *audit_default_aia_p; |
b0d623f7 A |
178 | |
179 | /* | |
180 | * The remaining kernel functions are conditionally compiled in as they are | |
181 | * wrapped by a macro, and the macro should be the only place in the source | |
182 | * tree where these functions are referenced. | |
183 | */ | |
184 | #if CONFIG_AUDIT | |
185 | struct ipc_perm; | |
186 | struct sockaddr; | |
187 | union auditon_udata; | |
188 | void audit_arg_addr(struct kaudit_record *ar, user_addr_t addr); | |
189 | void audit_arg_exit(struct kaudit_record *ar, int status, int retval); | |
190 | void audit_arg_len(struct kaudit_record *ar, user_size_t len); | |
191 | void audit_arg_fd(struct kaudit_record *ar, int fd); | |
192 | void audit_arg_fflags(struct kaudit_record *ar, int fflags); | |
193 | void audit_arg_gid(struct kaudit_record *ar, gid_t gid); | |
194 | void audit_arg_uid(struct kaudit_record *ar, uid_t uid); | |
195 | void audit_arg_egid(struct kaudit_record *ar, gid_t egid); | |
196 | void audit_arg_euid(struct kaudit_record *ar, uid_t euid); | |
197 | void audit_arg_rgid(struct kaudit_record *ar, gid_t rgid); | |
198 | void audit_arg_ruid(struct kaudit_record *ar, uid_t ruid); | |
199 | void audit_arg_sgid(struct kaudit_record *ar, gid_t sgid); | |
200 | void audit_arg_suid(struct kaudit_record *ar, uid_t suid); | |
201 | void audit_arg_groupset(struct kaudit_record *ar, gid_t *gidset, | |
202 | u_int gidset_size); | |
203 | void audit_arg_login(struct kaudit_record *ar, char *login); | |
204 | void audit_arg_ctlname(struct kaudit_record *ar, int *name, int namelen); | |
205 | void audit_arg_mask(struct kaudit_record *ar, int mask); | |
206 | void audit_arg_mode(struct kaudit_record *ar, mode_t mode); | |
207 | void audit_arg_value32(struct kaudit_record *ar, uint32_t value32); | |
208 | void audit_arg_value64(struct kaudit_record *ar, uint64_t value64); | |
209 | void audit_arg_owner(struct kaudit_record *ar, uid_t uid, gid_t gid); | |
210 | void audit_arg_pid(struct kaudit_record *ar, pid_t pid); | |
211 | void audit_arg_process(struct kaudit_record *ar, proc_t p); | |
212 | void audit_arg_signum(struct kaudit_record *ar, u_int signum); | |
213 | void audit_arg_socket(struct kaudit_record *ar, int sodomain, int sotype, | |
214 | int soprotocol); | |
215 | void audit_arg_sockaddr(struct kaudit_record *ar, struct vnode *cwd_vp, | |
216 | struct sockaddr *so); | |
217 | void audit_arg_auid(struct kaudit_record *ar, uid_t auid); | |
218 | void audit_arg_auditinfo(struct kaudit_record *ar, | |
219 | struct auditinfo *au_info); | |
220 | void audit_arg_auditinfo_addr(struct kaudit_record *ar, | |
221 | struct auditinfo_addr *au_info); | |
222 | void audit_arg_upath(struct kaudit_record *ar, struct vnode *cwd_vp, | |
223 | char *upath, u_int64_t flags); | |
224 | void audit_arg_vnpath(struct kaudit_record *ar, struct vnode *vp, | |
225 | u_int64_t flags); | |
226 | void audit_arg_vnpath_withref(struct kaudit_record *ar, struct vnode *vp, | |
227 | u_int64_t flags); | |
228 | void audit_arg_text(struct kaudit_record *ar, char *text); | |
229 | void audit_arg_opaque(struct kaudit_record *ar, void *data, size_t size); | |
230 | void audit_arg_data(struct kaudit_record *ar, void *data, size_t size, | |
231 | size_t number); | |
232 | void audit_arg_cmd(struct kaudit_record *ar, int cmd); | |
233 | void audit_arg_svipc_cmd(struct kaudit_record *ar, int cmd); | |
234 | void audit_arg_svipc_perm(struct kaudit_record *ar, struct ipc_perm *perm); | |
235 | void audit_arg_svipc_id(struct kaudit_record *ar, int id); | |
236 | void audit_arg_svipc_addr(struct kaudit_record *ar, user_addr_t addr); | |
237 | void audit_arg_posix_ipc_perm(struct kaudit_record *ar, uid_t uid, | |
238 | gid_t gid, mode_t mode); | |
239 | void audit_arg_auditon(struct kaudit_record *ar, | |
240 | union auditon_udata *udata); | |
241 | void audit_arg_file(struct kaudit_record *ar, struct proc *p, | |
242 | struct fileproc *fp); | |
243 | void audit_arg_argv(struct kaudit_record *ar, char *argv, int argc, | |
244 | int length); | |
245 | void audit_arg_envv(struct kaudit_record *ar, char *envv, int envc, | |
246 | int length); | |
247 | ||
248 | void audit_arg_mach_port1(struct kaudit_record *ar, mach_port_name_t port); | |
249 | void audit_arg_mach_port2(struct kaudit_record *ar, mach_port_name_t port); | |
250 | void audit_sysclose(struct kaudit_record *ar, struct proc *p, int fd); | |
251 | ||
252 | void audit_proc_coredump(proc_t proc, char *path, int errcode); | |
253 | void audit_proc_init(struct proc *p); | |
254 | void audit_proc_fork(struct proc *parent, struct proc *child); | |
255 | void audit_proc_free(struct proc *p); | |
256 | ||
257 | #ifndef _KAUTH_CRED_T | |
258 | #define _KAUTH_CRED_T | |
259 | struct ucred; | |
260 | typedef struct ucred *kauth_cred_t; | |
261 | #endif /* !_KAUTH_CRED_T */ | |
262 | ||
263 | void audit_session_ref(kauth_cred_t cred); | |
264 | void audit_session_unref(kauth_cred_t cred); | |
6d2010ae A |
265 | void audit_session_procnew(proc_t p); |
266 | void audit_session_procexit(proc_t p); | |
b0d623f7 A |
267 | int audit_session_spawnjoin(proc_t p, ipc_port_t port); |
268 | ||
6d2010ae A |
269 | void audit_sdev_submit(au_id_t auid, au_asid_t asid, void *record, |
270 | u_int record_len); | |
271 | ||
b0d623f7 A |
272 | /* |
273 | * Audit session macros. | |
274 | */ | |
6d2010ae | 275 | #define IS_VALID_SESSION(a) ((a) != NULL && (a) != audit_default_aia_p) |
b0d623f7 A |
276 | |
277 | #define AUDIT_SESSION_REF(cred) audit_session_ref(cred) | |
278 | #define AUDIT_SESSION_UNREF(cred) audit_session_unref(cred) | |
279 | ||
6d2010ae A |
280 | #define AUDIT_SESSION_PROCNEW(p) audit_session_procnew(p) |
281 | #define AUDIT_SESSION_PROCEXIT(p) audit_session_procexit(p) | |
b0d623f7 A |
282 | |
283 | #if CONFIG_MACF | |
284 | /* | |
285 | * audit_mac_data() is the MAC Framework's entry point to the audit subsystem. | |
286 | * It currently creates only text and data audit tokens. | |
287 | */ | |
288 | int audit_mac_data(int type, int len, u_char *data); | |
289 | void audit_arg_mac_string(struct kaudit_record *ar, char *string); | |
290 | ||
291 | #endif | |
292 | ||
293 | extern au_event_t sys_au_event[]; | |
294 | ||
295 | #define AUDIT_RECORD() \ | |
296 | ((struct uthread*)get_bsdthread_info(current_thread()))->uu_ar | |
297 | ||
6d2010ae A |
298 | #ifndef AUDIT_USE_BUILTIN_EXPECT |
299 | #define AUDIT_USE_BUILTIN_EXPECT | |
b0d623f7 A |
300 | #endif |
301 | ||
302 | #ifdef AUDIT_USE_BUILTIN_EXPECT | |
303 | /* | |
304 | * Use branch prediction for the case of auditing enabled but not | |
305 | * auditing system calls. | |
306 | */ | |
307 | #define AUDIT_SYSCALLS() __builtin_expect(audit_syscalls, 0) | |
308 | #define AUDIT_ENABLED() __builtin_expect(audit_syscalls && \ | |
309 | audit_enabled, 0) | |
310 | #define AUDIT_AUDITING(x) __builtin_expect(NULL != (x), 0) | |
311 | ||
312 | #else | |
313 | ||
314 | #define AUDIT_SYSCALLS() (audit_syscalls) | |
315 | #define AUDIT_ENABLED() (audit_syscalls && audit_enabled) | |
316 | #define AUDIT_AUDITING(x) (NULL != (x)) | |
317 | ||
318 | #endif /* AUDIT_USE_BUILTIN_EXPECT */ | |
319 | ||
320 | /* | |
321 | * Define a macro to wrap the audit_arg_* calls by checking the global | |
322 | * audit_enabled flag before performing the actual call. | |
323 | */ | |
324 | #define AUDIT_ARG(op, args...) do { \ | |
325 | if (AUDIT_SYSCALLS()) { \ | |
326 | struct kaudit_record *__ar = AUDIT_RECORD(); \ | |
327 | if (AUDIT_AUDITING(__ar)) \ | |
328 | audit_arg_ ## op (__ar, args); \ | |
329 | } \ | |
330 | } while (0) | |
331 | ||
332 | #define AUDIT_SYSCALL_ENTER(args...) do { \ | |
333 | if (AUDIT_ENABLED()) { \ | |
334 | audit_syscall_enter(args); \ | |
335 | } \ | |
336 | } while (0) | |
337 | ||
338 | /* | |
339 | * Wrap the audit_syscall_exit() function so that it is called only when | |
340 | * we have a audit record on the thread. Audit records can persist after | |
341 | * auditing is disabled, so we don't just check audit_enabled here. | |
342 | */ | |
343 | #define AUDIT_SYSCALL_EXIT(code, proc, uthread, error) do { \ | |
344 | if (AUDIT_AUDITING(uthread->uu_ar)) \ | |
345 | audit_syscall_exit(code, error, proc, uthread); \ | |
346 | } while (0) | |
347 | ||
348 | /* | |
349 | * Wrap the audit_mach_syscall_enter() and audit_mach_syscall_exit() | |
350 | * functions in a manner similar to other system call enter/exit functions. | |
351 | */ | |
352 | #define AUDIT_MACH_SYSCALL_ENTER(args...) do { \ | |
353 | if (AUDIT_ENABLED()) { \ | |
354 | audit_mach_syscall_enter(args); \ | |
355 | } \ | |
356 | } while (0) | |
357 | ||
358 | #define AUDIT_MACH_SYSCALL_EXIT(retval) do { \ | |
359 | if (AUDIT_SYSCALLS()) { \ | |
360 | struct uthread *__uthread = \ | |
361 | get_bsdthread_info(current_thread()); \ | |
362 | if (AUDIT_AUDITING(__uthread->uu_ar)) \ | |
363 | audit_mach_syscall_exit(retval, __uthread); \ | |
364 | } \ | |
365 | } while (0) | |
366 | ||
367 | /* | |
368 | * A Macro to wrap the audit_sysclose() function. | |
369 | */ | |
370 | #define AUDIT_SYSCLOSE(args...) do { \ | |
371 | if (AUDIT_SYSCALLS()) { \ | |
372 | struct kaudit_record *__ar = AUDIT_RECORD(); \ | |
373 | if (AUDIT_AUDITING(__ar)) \ | |
374 | audit_sysclose(__ar, args); \ | |
375 | } \ | |
376 | } while (0) | |
377 | ||
378 | #else /* !CONFIG_AUDIT */ | |
379 | ||
380 | #define AUDIT_ARG(op, args...) do { \ | |
381 | } while (0) | |
382 | ||
383 | #define AUDIT_SYSCALL_ENTER(args...) do { \ | |
384 | } while (0) | |
385 | ||
386 | #define AUDIT_SYSCALL_EXIT(code, proc, uthread, error) do { \ | |
387 | } while (0) | |
388 | ||
389 | #define AUDIT_MACH_SYSCALL_ENTER(args...) do { \ | |
390 | } while (0) | |
391 | ||
392 | #define AUDIT_MACH_SYSCALL_EXIT(retval) do { \ | |
393 | } while (0) | |
394 | ||
395 | #define AUDIT_SYSCLOSE(op, args...) do { \ | |
396 | } while (0) | |
397 | ||
398 | #define AUDIT_SESSION_REF(cred) do { \ | |
399 | } while (0) | |
400 | ||
401 | #define AUDIT_SESSION_UNREF(cred) do { \ | |
402 | } while (0) | |
403 | ||
404 | #define AUDIT_SESSION_PROCNEW(cred) do { \ | |
405 | } while (0) | |
406 | ||
407 | #define AUDIT_SESSION_PROCEXIT(cred) do { \ | |
408 | } while (0) | |
409 | ||
410 | #define AUDIT_SESSION_REF(cred) do { \ | |
411 | } while (0) | |
412 | ||
413 | #define AUDIT_SESSION_UNREF(cred) do { \ | |
414 | } while (0) | |
415 | ||
416 | #define AUDIT_SESSION_PROCNEW(cred) do { \ | |
417 | } while (0) | |
418 | ||
419 | #define AUDIT_SESSION_PROCEXIT(cred) do { \ | |
420 | } while (0) | |
421 | ||
422 | #endif /* CONFIG_AUDIT */ | |
423 | ||
424 | #endif /* KERNEL */ | |
425 | ||
426 | #endif /* !_SECURITY_AUDIT_ADUIT_H */ |