[apple/xnu.git] / bsd / bsm / audit_kernel.h

/*
 * Copyright (c) 1999-2007 Apple Inc.  All Rights Reserved.
 *
 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. The rights granted to you under the License
 * may not be used to create, or enable the creation or redistribution of,
 * unlawful or unlicensed copies of an Apple operating system, or to
 * circumvent, violate, or enable the circumvention or violation of, any
 * terms of an Apple operating system software license agreement.
 * 
 * Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
 */
/*
 * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce
 * support for mandatory and extensible security protections.  This notice
 * is included in support of clause 2.2 (b) of the Apple Public License,
 * Version 2.0.
 */

#ifndef _BSM_AUDIT_KERNEL_H
#define	_BSM_AUDIT_KERNEL_H

#if CONFIG_MACF
#include <sys/queue.h>
#include <security/mac_framework.h>
#endif

#ifdef KERNEL

#include <bsm/audit.h>

#include <sys/sysctl.h>
#include <sys/user.h>
#include <sys/ipc.h>

/*
 * Audit subsystem condition flags.  The audit_enabled flag is set and
 * removed automatically as a result of configuring log files, and
 * can be observed but should not be directly manipulated.  The audit
 * suspension flag permits audit to be temporarily disabled without
 * reconfiguring the audit target.
 */
extern int	audit_enabled;
extern int	audit_suspended;

#define BSM_SUCCESS		0
#define BSM_FAILURE		1
#define BSM_NOAUDIT		2

/*
 * Define the masks for the audited arguments.
 */
#define ARG_EUID		0x0000000000000001ULL
#define ARG_RUID		0x0000000000000002ULL
#define ARG_SUID		0x0000000000000004ULL
#define ARG_EGID		0x0000000000000008ULL
#define ARG_RGID		0x0000000000000010ULL
#define ARG_SGID		0x0000000000000020ULL
#define ARG_PID			0x0000000000000040ULL
#define ARG_UID			0x0000000000000080ULL
#define ARG_AUID		0x0000000000000100ULL
#define ARG_GID			0x0000000000000200ULL
#define ARG_FD			0x0000000000000400ULL
#define ARG_POSIX_IPC_PERM 	0x0000000000000800ULL
#define ARG_FFLAGS		0x0000000000001000ULL
#define ARG_MODE		0x0000000000002000ULL
#define ARG_DEV			0x0000000000004000ULL
#define ARG_ADDR		0x0000000000008000ULL
#define ARG_LEN			0x0000000000010000ULL
#define ARG_MASK		0x0000000000020000ULL
#define ARG_SIGNUM		0x0000000000040000ULL
#define ARG_LOGIN		0x0000000000080000ULL
#define ARG_SADDRINET		0x0000000000100000ULL
#define ARG_SADDRINET6		0x0000000000200000ULL
#define ARG_SADDRUNIX		0x0000000000400000ULL
#define ARG_KPATH1		0x0000000000800000ULL
#define ARG_KPATH2		0x0000000001000000ULL
#define ARG_UPATH1		0x0000000002000000ULL
#define ARG_UPATH2		0x0000000004000000ULL
#define ARG_TEXT		0x0000000008000000ULL
#define ARG_VNODE1		0x0000000010000000ULL
#define ARG_VNODE2		0x0000000020000000ULL
#define ARG_SVIPC_CMD		0x0000000040000000ULL
#define ARG_SVIPC_PERM		0x0000000080000000ULL
#define ARG_SVIPC_ID		0x0000000100000000ULL
#define ARG_SVIPC_ADDR		0x0000000200000000ULL
#define ARG_GROUPSET		0x0000000400000000ULL
#define ARG_CMD			0x0000000800000000ULL
#define ARG_SOCKINFO		0x0000001000000000ULL
#define ARG_ASID		0x0000002000000000ULL
#define ARG_TERMID		0x0000004000000000ULL
#define ARG_AUDITON		0x0000008000000000ULL
#define ARG_VALUE		0x0000010000000000ULL
#define ARG_AMASK		0x0000020000000000ULL
#define ARG_CTLNAME		0x0000040000000000ULL
#define ARG_PROCESS		0x0000080000000000ULL
#define ARG_MACHPORT1		0x0000100000000000ULL
#define ARG_MACHPORT2		0x0000200000000000ULL
#define ARG_MAC_STRING		0x0000400000000000ULL
#define ARG_NONE		0x0000000000000000ULL
#define ARG_ALL			0xFFFFFFFFFFFFFFFFULL

/* Defines for the kernel audit record k_ar_commit field */
#define AR_COMMIT_KERNEL	0x00000001U
#define AR_COMMIT_USER		0x00000010U

struct vnode_au_info {
	mode_t		vn_mode;
	uid_t		vn_uid;
	gid_t		vn_gid;
	dev_t		vn_dev;
	long		vn_fsid;
	long		vn_fileid;
	long		vn_gen;
};

struct groupset {
	gid_t	gidset[NGROUPS];
	u_int	gidset_size;
};

struct socket_au_info {
	int 		so_domain;
	int		so_type;
	int		so_protocol;
	in_addr_t	so_raddr;	/* remote address if INET socket */
	in_addr_t	so_laddr;	/* local address if INET socket */
	u_short		so_rport;	/* remote port */
	u_short		so_lport;	/* local port */
};

union auditon_udata {
	char			au_path[MAXPATHLEN];
	long			au_cond;
	long			au_flags;
	long			au_policy;
	au_evclass_map_t	au_evclass;
	au_mask_t		au_mask;
	auditinfo_t		au_auinfo;
	auditpinfo_t		au_aupinfo;
	auditpinfo_addr_t	au_aupinfo_addr;
	au_qctrl_t		au_qctrl;
	au_stat_t		au_stat;
	au_fstat_t		au_fstat;
};

struct posix_ipc_perm {
	uid_t			pipc_uid;
	gid_t			pipc_gid;
	mode_t			pipc_mode;
};

#if CONFIG_MACF

#define MAC_AUDIT_LABEL_LEN 1024
#define MAC_AUDIT_DATA_TYPE 0
#define MAC_AUDIT_TEXT_TYPE 1

struct mac_audit_record {
	int type;		// one of the types defined above
	int length;		// byte length of the data field
	u_char *data;	// the payload
	LIST_ENTRY(mac_audit_record) records;
};

#endif

struct audit_record {
	/* Audit record header. */
	u_int32_t		ar_magic;
	int			ar_event;
	int			ar_retval; /* value returned to the process */
	int			ar_errno;  /* return status of system call */
	struct timespec		ar_starttime;
	struct timespec		ar_endtime;
	u_int64_t		ar_valid_arg;  /* Bitmask of valid arguments */

	/* Audit subject information. */
	struct xucred			ar_subj_cred;
	uid_t				ar_subj_ruid;
	gid_t				ar_subj_rgid;
	gid_t				ar_subj_egid;
	uid_t				ar_subj_auid; /* Audit user ID */
	pid_t				ar_subj_asid; /* Audit session ID */
	pid_t				ar_subj_pid;
	struct au_tid			ar_subj_term;	
	char				ar_subj_comm[MAXCOMLEN + 1];
	struct au_mask			ar_subj_amask;

	/* Operation arguments. */
	uid_t				ar_arg_euid;
	uid_t				ar_arg_ruid;
	uid_t				ar_arg_suid;
	gid_t				ar_arg_egid;
	gid_t				ar_arg_rgid;
	gid_t				ar_arg_sgid;
	pid_t				ar_arg_pid;
	pid_t				ar_arg_asid;
	struct au_tid			ar_arg_termid;	
	uid_t				ar_arg_uid;
	uid_t				ar_arg_auid;
	gid_t				ar_arg_gid;
	struct groupset			ar_arg_groups;
	int				ar_arg_fd;
	int				ar_arg_fflags;
	mode_t				ar_arg_mode;
	int				ar_arg_dev;
	long				ar_arg_value;
	void *				ar_arg_addr;
	int				ar_arg_len;
	int				ar_arg_mask;
	u_int				ar_arg_signum;
	char				ar_arg_login[MAXLOGNAME];
	int				ar_arg_ctlname[CTL_MAXNAME];
	struct sockaddr			ar_arg_sockaddr;
	struct socket_au_info		ar_arg_sockinfo;
	char				*ar_arg_upath1;
	char				*ar_arg_upath2;
	char				*ar_arg_kpath1;
	char				*ar_arg_kpath2;
#if CONFIG_MACF
	char				*ar_vnode1_mac_labels;
	char				*ar_vnode2_mac_labels;
	char				*ar_cred_mac_labels;
	char				*ar_arg_mac_string;
#endif
	char				*ar_arg_text;
	struct au_mask			ar_arg_amask;
	struct vnode_au_info		ar_arg_vnode1;
	struct vnode_au_info		ar_arg_vnode2;
	int				ar_arg_cmd;
	int				ar_arg_svipc_cmd;
	struct ipc_perm			ar_arg_svipc_perm;
	int				ar_arg_svipc_id;
	user_addr_t			ar_arg_svipc_addr;
	struct posix_ipc_perm		ar_arg_pipc_perm;
	mach_port_name_t		ar_arg_mach_port1;
	mach_port_name_t		ar_arg_mach_port2;
	union auditon_udata		ar_arg_auditon;

#if CONFIG_MACF
	/* MAC security related fields added by MAC policies
	 * ar_forced_by_mac is 1 if mac_audit_check_preselect() forced this
	 * call to be audited, 0 otherwise.
	 */
	LIST_HEAD(mac_audit_record_list_t, mac_audit_record)   *ar_mac_records;
	int                             ar_forced_by_mac;
#endif

};

/*
 * In-kernel version of audit record; the basic record plus queue meta-data.
 * This record can also have a pointer set to some opaque data that will
 * be passed through to the audit writing mechanism.
 */
struct kaudit_record {
	struct audit_record		k_ar;
	u_int32_t			k_ar_commit; 
	void 				*k_udata;    /* user data */	
	u_int				k_ulen;     /* user data length */	
	struct uthread			*k_uthread; /* thread we are auditing */
	TAILQ_ENTRY(kaudit_record)	k_q;
};

struct proc;
struct vnode;
struct componentname;

int			 kau_will_audit(void);

void			 audit_abort(struct kaudit_record *ar);
void			 audit_commit(struct kaudit_record *ar, int error, 
					int retval);
void			 audit_init(void);
void			 audit_shutdown(void);

struct kaudit_record	*audit_new(int event, struct proc *p,
			    struct uthread *uthread);

void			 audit_syscall_enter(unsigned short code,
				struct proc *proc, struct uthread *uthread);
#if CONFIG_MACF
/*
 * The parameter list of audit_syscall_exit() was modified to also take the
 * Darwin syscall number, which is required by mac_audit_check_postselect().
 */
void			 audit_syscall_exit(unsigned short code, int error,
				struct proc *proc, struct uthread *uthread);
#else
void			 audit_syscall_exit(int error, struct proc *proc,
				struct uthread *uthread);
#endif
void			 audit_mach_syscall_enter(unsigned short audit_event);
void			 audit_mach_syscall_exit(int retval,
				struct uthread *uthread);

int			kaudit_to_bsm(struct kaudit_record *kar,
					struct au_record **pau);

int			bsm_rec_verify(void *rec);

/*
 * Kernel versions of the BSM audit record functions.
 */
struct au_record 	*kau_open(void);
int			kau_write(struct au_record *rec, token_t *m);
int			kau_close(struct au_record *rec, 
				 struct timespec *endtime, short event);
void			kau_free(struct au_record *rec);
void			kau_init(void);
token_t			*kau_to_file(const char *file, const struct timeval *tv);
token_t			*kau_to_header(const struct timespec *ctime, int rec_size, 
					au_event_t e_type, au_emod_t e_mod);
token_t			*kau_to_header32(const struct timespec *ctime, int rec_size, 
					au_event_t e_type, au_emod_t e_mod);
token_t			*kau_to_header64(const struct timespec *ctime, int rec_size,
					 au_event_t e_type, au_emod_t e_mod);
/*
 * The remaining kernel functions are conditionally compiled in as they
 * are wrapped by a macro, and the macro should be the only place in 
 * the source tree where these functions are referenced.
 */
#if AUDIT
void			 audit_arg_addr(user_addr_t addr);
void			 audit_arg_len(user_size_t len);
void			 audit_arg_fd(int fd);
void			 audit_arg_fflags(int fflags);
void			 audit_arg_gid(gid_t gid, gid_t egid, gid_t rgid, 
					gid_t sgid);
void			 audit_arg_uid(uid_t uid, uid_t euid, uid_t ruid, 
					uid_t suid);
void			 audit_arg_groupset(const gid_t *gidset, u_int gidset_size);
void			 audit_arg_login(const char *login);
void			 audit_arg_ctlname(const int *name, int namelen);
void			 audit_arg_mask(int mask);
void			 audit_arg_mode(mode_t mode);
void			 audit_arg_dev(int dev);
void			 audit_arg_value(long value);
void			 audit_arg_owner(uid_t uid, gid_t gid);
void			 audit_arg_pid(pid_t pid);
void			 audit_arg_process(struct proc *p);
void			 audit_arg_signum(u_int signum);
void			 audit_arg_socket(int sodomain, int sotype, 
						int soprotocol);
void			 audit_arg_sockaddr(struct vnode *cwd_vp,
						struct sockaddr *so);
void			 audit_arg_auid(uid_t auid);
void			 audit_arg_auditinfo(const struct auditinfo *au_info);
void			 audit_arg_upath(struct vnode *cwd_vp, char *upath, 
					 u_int64_t flags);
void			 audit_arg_vnpath(struct vnode *vp, u_int64_t flags);
void			 audit_arg_vnpath_withref(struct vnode *vp, u_int64_t flags);
void			 audit_arg_text(const char *text);
void			 audit_arg_cmd(int cmd);
void			 audit_arg_svipc_cmd(int cmd);
void			 audit_arg_svipc_perm(const struct ipc_perm *perm);
void			 audit_arg_svipc_id(int id);
void			 audit_arg_svipc_addr(user_addr_t addr);
void			 audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, 
						 mode_t mode);
void			 audit_arg_auditon(const union auditon_udata *udata);
void			 audit_arg_file(struct proc *p, const struct fileproc *fp);
void			 audit_arg_mach_port1(mach_port_name_t port);
void			 audit_arg_mach_port2(mach_port_name_t port);

void			 audit_sysclose(struct proc *p, int fd);

void			 audit_proc_init(struct proc *p);
void			 audit_proc_fork(struct proc *parent, 
					 struct proc *child);
void			 audit_proc_free(struct proc *p);

#if CONFIG_MACF
/* 
 * audit_mac_data() is the MAC Framework's entry point to the audit subsystem.
 * It currently creates only text and data audit tokens.
 */
int			 audit_mac_data(int type, int len, u_char *data);
void			 audit_arg_mac_string(const char *string);

#endif

/*
 * Define a macro to wrap the audit_arg_* calls by checking the global
 * audit_enabled flag before performing the actual call.
 */
#define	AUDIT_ARG(op, args...)	do {					\
	if (audit_enabled)						\
		audit_arg_ ## op (args);				\
	} while (0)

#define AUDIT_SYSCALL_ENTER(args...)	do {				\
	if (audit_enabled) {						\
		audit_syscall_enter(args);				\
	}								\
	} while (0)

/*
 * Wrap the audit_syscall_exit() function so that it is called only when
 * auditing is enabled, or we have a audit record on the thread. It is 
 * possible that an audit record was begun before auditing was turned off.
 */
#define AUDIT_SYSCALL_EXIT(code, proc, uthread, error)	do {		\
	if (audit_enabled || (uthread->uu_ar != NULL)) {		\
		audit_syscall_exit(code, error, proc, uthread);		\
	}								\
	} while (0)

/*
 * Wrap the audit_mach_syscall_enter() and audit_mach_syscall_exit()
 * functions in a manner similar to other system call enter/exit functions.
 */
#define AUDIT_MACH_SYSCALL_ENTER(args...)       do {			\
	if (audit_enabled) {						\
		audit_mach_syscall_enter(args);				\
	}								\
	} while (0)

#define AUDIT_MACH_SYSCALL_EXIT(retval) 	do {			\
	struct uthread *__uthread = get_bsdthread_info(current_thread());	\
	if (audit_enabled || (__uthread->uu_ar != NULL)) {			\
		audit_mach_syscall_exit(retval, __uthread);		\
	}								\
	} while (0)

/*
 * A Macro to wrap the audit_sysclose() function.
 */
#define	AUDIT_SYSCLOSE(args...)	do {					\
	if (audit_enabled)						\
		audit_sysclose(args);					\
	} while (0)

#else /* !AUDIT */

#define	AUDIT_ARG(op, args...)	do {					\
	} while (0)

#define AUDIT_SYSCALL_ENTER(args...)	do {				\
	} while (0)

#define AUDIT_SYSCALL_EXIT(code, proc, uthread, error)	do {	\
	} while (0)

#define AUDIT_MACH_SYSCALL_ENTER(args...)       do {			\
	} while (0)

#define AUDIT_MACH_SYSCALL_EXIT(retval) 	do {			\
	} while (0)

#define	AUDIT_SYSCLOSE(op, args...)	do {				\
	} while (0)

#endif /* AUDIT */

#endif /* KERNEL */

#endif /* !_BSM_AUDIT_KERNEL_H */
Commit	Line	Data
e5568f75	1	/*
2d21ac55 A	2	* Copyright (c) 1999-2007 Apple Inc. All Rights Reserved.
	3	*
	4	* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
37839358	5	*
89b3af67 A	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
2d21ac55 A	9	* compliance with the License. The rights granted to you under the License
	10	* may not be used to create, or enable the creation or redistribution of,
	11	* unlawful or unlicensed copies of an Apple operating system, or to
	12	* circumvent, violate, or enable the circumvention or violation of, any
	13	* terms of an Apple operating system software license agreement.
	14	*
	15	* Please obtain a copy of the License at
	16	* http://www.opensource.apple.com/apsl/ and read it before using this file.
8f6c56a5	17	*
89b3af67 A	18	* The Original Code and all software distributed under the License are
	19	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	20	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	21	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	22	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	23	* Please see the License for the specific language governing rights and
	24	* limitations under the License.
8f6c56a5	25	*
2d21ac55 A	26	* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
	27	*/
	28	/*
	29	* NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce
	30	* support for mandatory and extensible security protections. This notice
	31	* is included in support of clause 2.2 (b) of the Apple Public License,
	32	* Version 2.0.
e5568f75 A	33	*/
	34
	35	#ifndef _BSM_AUDIT_KERNEL_H
	36	#define _BSM_AUDIT_KERNEL_H
	37
2d21ac55 A	38	#if CONFIG_MACF
	39	#include <sys/queue.h>
	40	#include <security/mac_framework.h>
	41	#endif
	42
e5568f75 A	43	#ifdef KERNEL
	44
	45	#include <bsm/audit.h>
	46
	47	#include <sys/sysctl.h>
e5568f75	48	#include <sys/user.h>
91447636	49	#include <sys/ipc.h>
e5568f75 A	50
	51	/*
	52	* Audit subsystem condition flags. The audit_enabled flag is set and
	53	* removed automatically as a result of configuring log files, and
	54	* can be observed but should not be directly manipulated. The audit
	55	* suspension flag permits audit to be temporarily disabled without
	56	* reconfiguring the audit target.
	57	*/
	58	extern int audit_enabled;
	59	extern int audit_suspended;
	60
	61	#define BSM_SUCCESS 0
	62	#define BSM_FAILURE 1
	63	#define BSM_NOAUDIT 2
	64
	65	/*
	66	* Define the masks for the audited arguments.
	67	*/
	68	#define ARG_EUID 0x0000000000000001ULL
	69	#define ARG_RUID 0x0000000000000002ULL
	70	#define ARG_SUID 0x0000000000000004ULL
	71	#define ARG_EGID 0x0000000000000008ULL
	72	#define ARG_RGID 0x0000000000000010ULL
	73	#define ARG_SGID 0x0000000000000020ULL
	74	#define ARG_PID 0x0000000000000040ULL
	75	#define ARG_UID 0x0000000000000080ULL
	76	#define ARG_AUID 0x0000000000000100ULL
	77	#define ARG_GID 0x0000000000000200ULL
	78	#define ARG_FD 0x0000000000000400ULL
	79	#define ARG_POSIX_IPC_PERM 0x0000000000000800ULL
	80	#define ARG_FFLAGS 0x0000000000001000ULL
	81	#define ARG_MODE 0x0000000000002000ULL
	82	#define ARG_DEV 0x0000000000004000ULL
	83	#define ARG_ADDR 0x0000000000008000ULL
	84	#define ARG_LEN 0x0000000000010000ULL
	85	#define ARG_MASK 0x0000000000020000ULL
	86	#define ARG_SIGNUM 0x0000000000040000ULL
	87	#define ARG_LOGIN 0x0000000000080000ULL
	88	#define ARG_SADDRINET 0x0000000000100000ULL
	89	#define ARG_SADDRINET6 0x0000000000200000ULL
	90	#define ARG_SADDRUNIX 0x0000000000400000ULL
	91	#define ARG_KPATH1 0x0000000000800000ULL
	92	#define ARG_KPATH2 0x0000000001000000ULL
	93	#define ARG_UPATH1 0x0000000002000000ULL
	94	#define ARG_UPATH2 0x0000000004000000ULL
	95	#define ARG_TEXT 0x0000000008000000ULL
	96	#define ARG_VNODE1 0x0000000010000000ULL
	97	#define ARG_VNODE2 0x0000000020000000ULL
	98	#define ARG_SVIPC_CMD 0x0000000040000000ULL
	99	#define ARG_SVIPC_PERM 0x0000000080000000ULL
	100	#define ARG_SVIPC_ID 0x0000000100000000ULL
	101	#define ARG_SVIPC_ADDR 0x0000000200000000ULL
	102	#define ARG_GROUPSET 0x0000000400000000ULL
	103	#define ARG_CMD 0x0000000800000000ULL
	104	#define ARG_SOCKINFO 0x0000001000000000ULL
	105	#define ARG_ASID 0x0000002000000000ULL
	106	#define ARG_TERMID 0x0000004000000000ULL
	107	#define ARG_AUDITON 0x0000008000000000ULL
	108	#define ARG_VALUE 0x0000010000000000ULL
	109	#define ARG_AMASK 0x0000020000000000ULL
	110	#define ARG_CTLNAME 0x0000040000000000ULL
	111	#define ARG_PROCESS 0x0000080000000000ULL
	112	#define ARG_MACHPORT1 0x0000100000000000ULL
	113	#define ARG_MACHPORT2 0x0000200000000000ULL
2d21ac55	114	#define ARG_MAC_STRING 0x0000400000000000ULL
e5568f75 A	115	#define ARG_NONE 0x0000000000000000ULL
	116	#define ARG_ALL 0xFFFFFFFFFFFFFFFFULL
	117
	118	/* Defines for the kernel audit record k_ar_commit field */
	119	#define AR_COMMIT_KERNEL 0x00000001U
	120	#define AR_COMMIT_USER 0x00000010U
	121
	122	struct vnode_au_info {
	123	mode_t vn_mode;
	124	uid_t vn_uid;
	125	gid_t vn_gid;
	126	dev_t vn_dev;
	127	long vn_fsid;
	128	long vn_fileid;
	129	long vn_gen;
	130	};
	131
	132	struct groupset {
	133	gid_t gidset[NGROUPS];
	134	u_int gidset_size;
	135	};
	136
	137	struct socket_au_info {
	138	int so_domain;
	139	int so_type;
	140	int so_protocol;
	141	in_addr_t so_raddr; /* remote address if INET socket */
	142	in_addr_t so_laddr; /* local address if INET socket */
	143	u_short so_rport; /* remote port */
	144	u_short so_lport; /* local port */
	145	};
	146
	147	union auditon_udata {
	148	char au_path[MAXPATHLEN];
	149	long au_cond;
	150	long au_flags;
	151	long au_policy;
	152	au_evclass_map_t au_evclass;
	153	au_mask_t au_mask;
	154	auditinfo_t au_auinfo;
	155	auditpinfo_t au_aupinfo;
	156	auditpinfo_addr_t au_aupinfo_addr;
	157	au_qctrl_t au_qctrl;
	158	au_stat_t au_stat;
	159	au_fstat_t au_fstat;
	160	};
	161
	162	struct posix_ipc_perm {
	163	uid_t pipc_uid;
	164	gid_t pipc_gid;
	165	mode_t pipc_mode;
	166	};
	167
2d21ac55 A	168	#if CONFIG_MACF
	169
	170	#define MAC_AUDIT_LABEL_LEN 1024
	171	#define MAC_AUDIT_DATA_TYPE 0
	172	#define MAC_AUDIT_TEXT_TYPE 1
	173
	174	struct mac_audit_record {
	175	int type; // one of the types defined above
	176	int length; // byte length of the data field
	177	u_char *data; // the payload
	178	LIST_ENTRY(mac_audit_record) records;
	179	};
	180
	181	#endif
	182
e5568f75 A	183	struct audit_record {
	184	/* Audit record header. */
	185	u_int32_t ar_magic;
	186	int ar_event;
	187	int ar_retval; /* value returned to the process */
	188	int ar_errno; /* return status of system call */
	189	struct timespec ar_starttime;
	190	struct timespec ar_endtime;
	191	u_int64_t ar_valid_arg; /* Bitmask of valid arguments */
	192
	193	/* Audit subject information. */
	194	struct xucred ar_subj_cred;
	195	uid_t ar_subj_ruid;
	196	gid_t ar_subj_rgid;
	197	gid_t ar_subj_egid;
	198	uid_t ar_subj_auid; /* Audit user ID */
	199	pid_t ar_subj_asid; /* Audit session ID */
	200	pid_t ar_subj_pid;
	201	struct au_tid ar_subj_term;
	202	char ar_subj_comm[MAXCOMLEN + 1];
	203	struct au_mask ar_subj_amask;
	204
	205	/* Operation arguments. */
	206	uid_t ar_arg_euid;
	207	uid_t ar_arg_ruid;
	208	uid_t ar_arg_suid;
	209	gid_t ar_arg_egid;
	210	gid_t ar_arg_rgid;
	211	gid_t ar_arg_sgid;
	212	pid_t ar_arg_pid;
	213	pid_t ar_arg_asid;
	214	struct au_tid ar_arg_termid;
	215	uid_t ar_arg_uid;
	216	uid_t ar_arg_auid;
	217	gid_t ar_arg_gid;
	218	struct groupset ar_arg_groups;
	219	int ar_arg_fd;
	220	int ar_arg_fflags;
	221	mode_t ar_arg_mode;
	222	int ar_arg_dev;
	223	long ar_arg_value;
	224	void * ar_arg_addr;
	225	int ar_arg_len;
	226	int ar_arg_mask;
	227	u_int ar_arg_signum;
	228	char ar_arg_login[MAXLOGNAME];
	229	int ar_arg_ctlname[CTL_MAXNAME];
	230	struct sockaddr ar_arg_sockaddr;
	231	struct socket_au_info ar_arg_sockinfo;
	232	char *ar_arg_upath1;
	233	char *ar_arg_upath2;
	234	char *ar_arg_kpath1;
	235	char *ar_arg_kpath2;
2d21ac55 A	236	#if CONFIG_MACF
	237	char *ar_vnode1_mac_labels;
	238	char *ar_vnode2_mac_labels;
	239	char *ar_cred_mac_labels;
	240	char *ar_arg_mac_string;
	241	#endif
e5568f75 A	242	char *ar_arg_text;
	243	struct au_mask ar_arg_amask;
	244	struct vnode_au_info ar_arg_vnode1;
	245	struct vnode_au_info ar_arg_vnode2;
	246	int ar_arg_cmd;
	247	int ar_arg_svipc_cmd;
	248	struct ipc_perm ar_arg_svipc_perm;
	249	int ar_arg_svipc_id;
2d21ac55	250	user_addr_t ar_arg_svipc_addr;
e5568f75	251	struct posix_ipc_perm ar_arg_pipc_perm;
91447636 A	252	mach_port_name_t ar_arg_mach_port1;
91447636 A	253	mach_port_name_t ar_arg_mach_port2;
e5568f75	254	union auditon_udata ar_arg_auditon;
2d21ac55 A	255
	256	#if CONFIG_MACF
	257	/* MAC security related fields added by MAC policies
	258	* ar_forced_by_mac is 1 if mac_audit_check_preselect() forced this
	259	* call to be audited, 0 otherwise.
	260	*/
	261	LIST_HEAD(mac_audit_record_list_t, mac_audit_record) *ar_mac_records;
	262	int ar_forced_by_mac;
	263	#endif
	264
e5568f75 A	265	};
	266
	267	/*
	268	* In-kernel version of audit record; the basic record plus queue meta-data.
	269	* This record can also have a pointer set to some opaque data that will
	270	* be passed through to the audit writing mechanism.
	271	*/
	272	struct kaudit_record {
	273	struct audit_record k_ar;
	274	u_int32_t k_ar_commit;
	275	void k_udata; / user data */
	276	u_int k_ulen; /* user data length */
	277	struct uthread k_uthread; / thread we are auditing */
	278	TAILQ_ENTRY(kaudit_record) k_q;
	279	};
	280
	281	struct proc;
	282	struct vnode;
	283	struct componentname;
	284
2d21ac55 A	285	int kau_will_audit(void);
2d21ac55 A	286
e5568f75 A	287	void audit_abort(struct kaudit_record *ar);
	288	void audit_commit(struct kaudit_record *ar, int error,
	289	int retval);
	290	void audit_init(void);
	291	void audit_shutdown(void);
	292
	293	struct kaudit_record audit_new(int event, struct proc p,
	294	struct uthread *uthread);
	295
	296	void audit_syscall_enter(unsigned short code,
	297	struct proc proc, struct uthread uthread);
2d21ac55 A	298	#if CONFIG_MACF
	299	/*
	300	* The parameter list of audit_syscall_exit() was modified to also take the
	301	* Darwin syscall number, which is required by mac_audit_check_postselect().
	302	*/
	303	void audit_syscall_exit(unsigned short code, int error,
	304	struct proc proc, struct uthread uthread);
	305	#else
e5568f75 A	306	void audit_syscall_exit(int error, struct proc *proc,
e5568f75 A	307	struct uthread *uthread);
2d21ac55	308	#endif
e5568f75 A	309	void audit_mach_syscall_enter(unsigned short audit_event);
	310	void audit_mach_syscall_exit(int retval,
	311	struct uthread *uthread);
	312
	313	int kaudit_to_bsm(struct kaudit_record *kar,
	314	struct au_record **pau);
	315
	316	int bsm_rec_verify(void *rec);
	317
	318	/*
	319	* Kernel versions of the BSM audit record functions.
	320	*/
	321	struct au_record *kau_open(void);
	322	int kau_write(struct au_record rec, token_t m);
	323	int kau_close(struct au_record *rec,
	324	struct timespec *endtime, short event);
	325	void kau_free(struct au_record *rec);
	326	void kau_init(void);
91447636 A	327	token_t kau_to_file(const char file, const struct timeval *tv);
91447636 A	328	token_t kau_to_header(const struct timespec ctime, int rec_size,
e5568f75	329	au_event_t e_type, au_emod_t e_mod);
91447636	330	token_t kau_to_header32(const struct timespec ctime, int rec_size,
e5568f75	331	au_event_t e_type, au_emod_t e_mod);
91447636	332	token_t kau_to_header64(const struct timespec ctime, int rec_size,
e5568f75 A	333	au_event_t e_type, au_emod_t e_mod);
	334	/*
	335	* The remaining kernel functions are conditionally compiled in as they
	336	* are wrapped by a macro, and the macro should be the only place in
	337	* the source tree where these functions are referenced.
	338	*/
2d21ac55	339	#if AUDIT
91447636 A	340	void audit_arg_addr(user_addr_t addr);
91447636 A	341	void audit_arg_len(user_size_t len);
e5568f75 A	342	void audit_arg_fd(int fd);
	343	void audit_arg_fflags(int fflags);
	344	void audit_arg_gid(gid_t gid, gid_t egid, gid_t rgid,
	345	gid_t sgid);
	346	void audit_arg_uid(uid_t uid, uid_t euid, uid_t ruid,
	347	uid_t suid);
91447636 A	348	void audit_arg_groupset(const gid_t *gidset, u_int gidset_size);
	349	void audit_arg_login(const char *login);
	350	void audit_arg_ctlname(const int *name, int namelen);
e5568f75 A	351	void audit_arg_mask(int mask);
	352	void audit_arg_mode(mode_t mode);
	353	void audit_arg_dev(int dev);
	354	void audit_arg_value(long value);
	355	void audit_arg_owner(uid_t uid, gid_t gid);
	356	void audit_arg_pid(pid_t pid);
	357	void audit_arg_process(struct proc *p);
	358	void audit_arg_signum(u_int signum);
	359	void audit_arg_socket(int sodomain, int sotype,
	360	int soprotocol);
2d21ac55	361	void audit_arg_sockaddr(struct vnode *cwd_vp,
e5568f75 A	362	struct sockaddr *so);
e5568f75 A	363	void audit_arg_auid(uid_t auid);
91447636	364	void audit_arg_auditinfo(const struct auditinfo *au_info);
2d21ac55	365	void audit_arg_upath(struct vnode cwd_vp, char upath,
e5568f75 A	366	u_int64_t flags);
e5568f75 A	367	void audit_arg_vnpath(struct vnode *vp, u_int64_t flags);
91447636 A	368	void audit_arg_vnpath_withref(struct vnode *vp, u_int64_t flags);
91447636 A	369	void audit_arg_text(const char *text);
e5568f75 A	370	void audit_arg_cmd(int cmd);
e5568f75 A	371	void audit_arg_svipc_cmd(int cmd);
91447636	372	void audit_arg_svipc_perm(const struct ipc_perm *perm);
e5568f75	373	void audit_arg_svipc_id(int id);
2d21ac55	374	void audit_arg_svipc_addr(user_addr_t addr);
e5568f75 A	375	void audit_arg_posix_ipc_perm(uid_t uid, gid_t gid,
e5568f75 A	376	mode_t mode);
91447636 A	377	void audit_arg_auditon(const union auditon_udata *udata);
	378	void audit_arg_file(struct proc p, const struct fileproc fp);
	379	void audit_arg_mach_port1(mach_port_name_t port);
	380	void audit_arg_mach_port2(mach_port_name_t port);
e5568f75 A	381
	382	void audit_sysclose(struct proc *p, int fd);
	383
	384	void audit_proc_init(struct proc *p);
	385	void audit_proc_fork(struct proc *parent,
	386	struct proc *child);
	387	void audit_proc_free(struct proc *p);
	388
2d21ac55 A	389	#if CONFIG_MACF
	390	/*
	391	* audit_mac_data() is the MAC Framework's entry point to the audit subsystem.
	392	* It currently creates only text and data audit tokens.
	393	*/
	394	int audit_mac_data(int type, int len, u_char *data);
	395	void audit_arg_mac_string(const char *string);
	396
	397	#endif
	398
e5568f75 A	399	/*
	400	* Define a macro to wrap the audit_arg_* calls by checking the global
	401	* audit_enabled flag before performing the actual call.
	402	*/
	403	#define AUDIT_ARG(op, args...) do { \
	404	if (audit_enabled) \
	405	audit_arg_ ## op (args); \
	406	} while (0)
	407
	408	#define AUDIT_SYSCALL_ENTER(args...) do { \
	409	if (audit_enabled) { \
	410	audit_syscall_enter(args); \
	411	} \
	412	} while (0)
	413
	414	/*
	415	* Wrap the audit_syscall_exit() function so that it is called only when
	416	* auditing is enabled, or we have a audit record on the thread. It is
	417	* possible that an audit record was begun before auditing was turned off.
	418	*/
2d21ac55 A	419	#define AUDIT_SYSCALL_EXIT(code, proc, uthread, error) do { \
	420	if (audit_enabled \|\| (uthread->uu_ar != NULL)) { \
	421	audit_syscall_exit(code, error, proc, uthread); \
e5568f75 A	422	} \
	423	} while (0)
	424
	425	/*
	426	* Wrap the audit_mach_syscall_enter() and audit_mach_syscall_exit()
	427	* functions in a manner similar to other system call enter/exit functions.
	428	*/
	429	#define AUDIT_MACH_SYSCALL_ENTER(args...) do { \
	430	if (audit_enabled) { \
	431	audit_mach_syscall_enter(args); \
	432	} \
	433	} while (0)
	434
	435	#define AUDIT_MACH_SYSCALL_EXIT(retval) do { \
91447636 A	436	struct uthread *__uthread = get_bsdthread_info(current_thread()); \
	437	if (audit_enabled \|\| (__uthread->uu_ar != NULL)) { \
	438	audit_mach_syscall_exit(retval, __uthread); \
e5568f75 A	439	} \
	440	} while (0)
	441
	442	/*
	443	* A Macro to wrap the audit_sysclose() function.
	444	*/
	445	#define AUDIT_SYSCLOSE(args...) do { \
	446	if (audit_enabled) \
	447	audit_sysclose(args); \
	448	} while (0)
	449
	450	#else /* !AUDIT */
2d21ac55 A	451
	452	#define AUDIT_ARG(op, args...) do { \
	453	} while (0)
	454
e5568f75 A	455	#define AUDIT_SYSCALL_ENTER(args...) do { \
	456	} while (0)
	457
2d21ac55	458	#define AUDIT_SYSCALL_EXIT(code, proc, uthread, error) do { \
e5568f75 A	459	} while (0)
	460
	461	#define AUDIT_MACH_SYSCALL_ENTER(args...) do { \
	462	} while (0)
	463
	464	#define AUDIT_MACH_SYSCALL_EXIT(retval) do { \
	465	} while (0)
	466
	467	#define AUDIT_SYSCLOSE(op, args...) do { \
	468	} while (0)
	469
	470	#endif /* AUDIT */
	471
	472	#endif /* KERNEL */
	473
	474	#endif /* !_BSM_AUDIT_KERNEL_H */