[apple/xnu.git] / bsd / bsm / audit_record.h

/*
 * @APPLE_LICENSE_HEADER_START@
 * 
 * Copyright (c) 1999-2004 Apple Computer, Inc.  All Rights Reserved.
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */

#ifndef _BSM_AUDIT_RECORD_H_
#define _BSM_AUDIT_RECORD_H_

#include <sys/cdefs.h>
#include <sys/vnode.h>
#include <sys/ipc.h>
#include <sys/un.h>
#include <sys/event.h>
#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/ip.h>

/* We could determined the header and trailer sizes by
 * defining appropriate structures. We hold off that approach
 * till we have a consistant way of using structures for all tokens.
 * This is not straightforward since these token structures may
 * contain pointers of whose contents we dont know the size
 * (e.g text tokens)
 */
#define HEADER_SIZE     18
#define TRAILER_SIZE    7
        
#define ADD_U_CHAR(loc, val) \
        do {\
		*loc = val;\
                loc += sizeof(u_char);\
        }while(0)
    

#define ADD_U_INT16(loc, val) \
        do { \
		memcpy(loc, (u_char *)&val, sizeof(u_int16_t));\
                loc += sizeof(u_int16_t); \
        }while(0)

#define ADD_U_INT32(loc, val) \
        do { \
		memcpy(loc, (u_char *)&val, sizeof(u_int32_t));\
                loc += sizeof(u_int32_t); \
        }while(0)

#define ADD_U_INT64(loc, val)\
        do {\
		memcpy(loc, (u_char *)&val, sizeof(u_int64_t));\
                loc += sizeof(u_int64_t); \
        }while(0)

#define ADD_MEM(loc, data, size) \
        do { \
                memcpy(loc, data, size);\
                loc += size;\
        }while(0)

#define ADD_STRING(loc, data, size) ADD_MEM(loc, data, size)


/* Various token id types */

/* 
 * Values inside the comments are not documented in the BSM pages and
 * have been picked up from the header files 
 */  

/*
 * Values marked as XXX do not have a value defined in the BSM header files 
 */   

/*
 * Control token types

#define AUT_OTHER_FILE              ((char)0x11)
#define AUT_OTHER_FILE32            AUT_OTHER_FILE
#define AUT_OHEADER                 ((char)0x12)

 */

#define AUT_INVALID                 0x00
#define AU_FILE_TOKEN               0x11
#define AU_TRAILER_TOKEN            0x13 
#define AU_HEADER_32_TOKEN          0x14	
#define AU_HEADER_EX_32_TOKEN       0x15

/*
 * Data token types
#define AUT_SERVER              ((char)0x25)
#define AUT_SERVER32            AUT_SERVER
 */

#define AU_DATA_TOKEN               0x21
#define AU_ARB_TOKEN                AU_DATA_TOKEN	
#define AU_IPC_TOKEN                0x22
#define AU_PATH_TOKEN               0x23
#define AU_SUBJECT_32_TOKEN         0x24
#define AU_PROCESS_32_TOKEN         0x26
#define AU_RETURN_32_TOKEN          0x27
#define AU_TEXT_TOKEN               0x28
#define AU_OPAQUE_TOKEN             0x29
#define AU_IN_ADDR_TOKEN            0x2A
#define AU_IP_TOKEN                 0x2B
#define AU_IPORT_TOKEN              0x2C
#define AU_ARG32_TOKEN              0x2D	
#define AU_SOCK_TOKEN               0x2E
#define AU_SEQ_TOKEN                0x2F

/*
 * Modifier token types

#define AUT_ACL                 ((char)0x30)
#define AUT_LABEL               ((char)0x33)
#define AUT_GROUPS              ((char)0x34)
#define AUT_ILABEL              ((char)0x35)
#define AUT_SLABEL              ((char)0x36)
#define AUT_CLEAR               ((char)0x37)
#define AUT_PRIV                ((char)0x38)
#define AUT_UPRIV               ((char)0x39)
#define AUT_LIAISON             ((char)0x3A)
 
 */

#define AU_ATTR_TOKEN               0x31
#define AU_IPCPERM_TOKEN            0x32
#define AU_NEWGROUPS_TOKEN          0x3B
#define AU_EXEC_ARG_TOKEN           0x3C
#define AU_EXEC_ENV_TOKEN           0x3D
#define AU_ATTR32_TOKEN             0x3E

/*
 * Command token types
 */
 
#define AU_CMD_TOKEN                0x51
#define AU_EXIT_TOKEN               0x52

/*
 * Miscellaneous token types

#define AUT_HOST                ((char)0x70)

 */

/*
 * 64bit token types

#define AUT_SERVER64            ((char)0x76)
#define AUT_OTHER_FILE64		((char)0x78)

 */

#define AU_ARG64_TOKEN              0x71
#define AU_RETURN_64_TOKEN          0x72
#define AU_ATTR64_TOKEN             0x73
#define AU_HEADER_64_TOKEN          0x74
#define AU_SUBJECT_64_TOKEN         0x75
#define AU_PROCESS_64_TOKEN         0x77

/*
 * Extended network address token types
 */
 
#define AU_HEADER_EX_64_TOKEN       0x79
#define AU_SUBJECT_32_EX_TOKEN      0x7a	
#define AU_PROCESS_32_EX_TOKEN      0x7b
#define AU_SUBJECT_64_EX_TOKEN      0x7c
#define AU_PROCESS_64_EX_TOKEN      0x7d
#define AU_IN_ADDR_EX_TOKEN	    0x7e
#define AU_SOCK_EX32_TOKEN          0x7f
#define AU_SOCK_EX128_TOKEN         AUT_INVALID         /*XXX*/
#define AU_IP_EX_TOKEN              AUT_INVALID         /*XXX*/

/*
 * The values for the following token ids are not
 * defined by BSM
 */
#define AU_SOCK_INET_32_TOKEN       0x80         /*XXX*/ 
#define AU_SOCK_INET_128_TOKEN      0x81         /*XXX*/
#define AU_SOCK_UNIX_TOKEN          0x82         /*XXX*/

/* print values for the arbitrary token */
#define AUP_BINARY      0
#define AUP_OCTAL       1
#define AUP_DECIMAL     2
#define AUP_HEX         3
#define AUP_STRING      4

/* data-types for the arbitrary token */
#define AUR_BYTE        0
#define AUR_SHORT       1
#define AUR_LONG        2

/* ... and their sizes */
#define AUR_BYTE_SIZE       sizeof(u_char)	
#define AUR_SHORT_SIZE      sizeof(u_int16_t)
#define AUR_LONG_SIZE       sizeof(u_int32_t)

/* Modifiers for the header token */
#define PAD_NOTATTR  0x4000   /* nonattributable event */
#define PAD_FAILURE  0x8000   /* fail audit event */


#define MAX_GROUPS          16
#define HEADER_VERSION      1
#define TRAILER_PAD_MAGIC   0xB105

/* BSM library calls */

__BEGIN_DECLS

int			au_open(void);
int			au_write(int d, token_t *m);
int			au_close(int d, int keep, short event);
token_t			*au_to_file(char *file);
token_t			*au_to_header(int rec_size, au_event_t e_type, 
					au_emod_t e_mod);
token_t			*au_to_header32(int rec_size, au_event_t e_type, 
					au_emod_t e_mod);
token_t			*au_to_header64(int rec_size, au_event_t e_type, 
					au_emod_t e_mod);
token_t			*au_to_me(void);
                               
token_t			*au_to_arg(char n, char *text, u_int32_t v);
token_t			*au_to_arg32(char n, char *text, u_int32_t v);
token_t			*au_to_arg64(char n, char *text, u_int64_t v);
token_t			*au_to_attr(struct vattr *attr);
token_t			*au_to_attr32(struct vattr *attr);
token_t			*au_to_attr64(struct vattr *attr);
token_t			*au_to_data(char unit_print, char unit_type,
				char unit_count, char *p);
token_t			*au_to_exit(int retval, int err);
token_t			*au_to_groups(int *groups);
token_t			*au_to_newgroups(u_int16_t n, gid_t *groups);
token_t			*au_to_in_addr(struct in_addr *internet_addr);
token_t			*au_to_in_addr_ex(struct in6_addr *internet_addr);
token_t			*au_to_ip(struct ip *ip);
token_t			*au_to_ipc(char type, int id);
token_t			*au_to_ipc_perm(struct ipc_perm *perm);
token_t			*au_to_iport(u_int16_t iport);
token_t			*au_to_opaque(char *data, u_int16_t bytes);
token_t			*au_to_path(char *path);
token_t			*au_to_process(au_id_t auid, uid_t euid, gid_t egid,
				uid_t ruid, gid_t rgid, pid_t pid,
				au_asid_t sid, au_tid_t *tid);
token_t			*au_to_process32(au_id_t auid, uid_t euid, gid_t egid,
				uid_t ruid, gid_t rgid, pid_t pid,
				au_asid_t sid, au_tid_t *tid);
token_t			*au_to_process64(au_id_t auid, uid_t euid, gid_t egid,
				uid_t ruid, gid_t rgid, pid_t pid,
				au_asid_t sid, au_tid_t *tid);
token_t			*au_to_process_ex(au_id_t auid, uid_t euid,
				gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
				au_asid_t sid, au_tid_addr_t *tid);
token_t			*au_to_process32_ex(au_id_t auid, uid_t euid,
				gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
				au_asid_t sid, au_tid_addr_t *tid);
token_t			*au_to_process64_ex(au_id_t auid, uid_t euid,
				gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
				au_asid_t sid, au_tid_addr_t *tid);
token_t			*au_to_return(char status, u_int32_t ret);
token_t			*au_to_return32(char status, u_int32_t ret);
token_t			*au_to_return64(char status, u_int64_t ret);
token_t			*au_to_seq(long audit_count);
token_t			*au_to_socket(struct socket *so);
token_t			*au_to_socket_ex_32(u_int16_t lp, u_int16_t rp, 
				struct sockaddr *la, struct sockaddr *ta);
token_t			*au_to_socket_ex_128(u_int16_t lp, u_int16_t rp, 
				struct sockaddr *la, struct sockaddr *ta);
token_t			*au_to_sock_inet(struct sockaddr_in *so);
token_t			*au_to_sock_inet32(struct sockaddr_in *so);
token_t			*au_to_sock_inet128(struct sockaddr_in6 *so);
token_t			*au_to_sock_unix(struct sockaddr_un *so);
token_t			*au_to_subject(au_id_t auid, uid_t euid, gid_t egid,
				uid_t ruid, gid_t rgid, pid_t pid,
				au_asid_t sid, au_tid_t *tid);
token_t			*au_to_subject32(au_id_t auid, uid_t euid, gid_t egid,
				uid_t ruid, gid_t rgid, pid_t pid,
				au_asid_t sid, au_tid_t *tid);
token_t			*au_to_subject64(au_id_t auid, uid_t euid, gid_t egid,
				uid_t ruid, gid_t rgid, pid_t pid,
				au_asid_t sid, au_tid_t *tid);
token_t			*au_to_subject_ex(au_id_t auid, uid_t euid,
				gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
				au_asid_t sid, au_tid_addr_t *tid);
token_t			*au_to_subject32_ex(au_id_t auid, uid_t euid,
				gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
				au_asid_t sid, au_tid_addr_t *tid);
token_t			*au_to_subject64_ex(au_id_t auid, uid_t euid,
				gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
				au_asid_t sid, au_tid_addr_t *tid);
token_t			*au_to_exec_args(const char **);
token_t			*au_to_exec_env(const char **);
token_t			*au_to_text(char *text);
token_t			*au_to_kevent(struct kevent *kev);
token_t			*au_to_trailer(int rec_size);

__END_DECLS

#endif /* ! _BSM_AUDIT_RECORD_H_ */
Commit	Line	Data
55e303ae	1	/*
55e303ae A	2	* @APPLE_LICENSE_HEADER_START@
55e303ae A	3	*
e5568f75	4	* Copyright (c) 1999-2004 Apple Computer, Inc. All Rights Reserved.
55e303ae A	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
e5568f75 A	24	#ifndef _BSM_AUDIT_RECORD_H_
e5568f75 A	25	#define _BSM_AUDIT_RECORD_H_
55e303ae	26
e5568f75	27	#include <sys/cdefs.h>
55e303ae A	28	#include <sys/vnode.h>
	29	#include <sys/ipc.h>
	30	#include <sys/un.h>
e5568f75	31	#include <sys/event.h>
55e303ae A	32	#include <netinet/in_systm.h>
	33	#include <netinet/in.h>
	34	#include <netinet/ip.h>
	35
	36	/* We could determined the header and trailer sizes by
	37	* defining appropriate structures. We hold off that approach
	38	* till we have a consistant way of using structures for all tokens.
	39	* This is not straightforward since these token structures may
	40	* contain pointers of whose contents we dont know the size
	41	* (e.g text tokens)
	42	*/
	43	#define HEADER_SIZE 18
	44	#define TRAILER_SIZE 7
	45
	46	#define ADD_U_CHAR(loc, val) \
	47	do {\
	48	*loc = val;\
	49	loc += sizeof(u_char);\
	50	}while(0)
	51
	52
	53	#define ADD_U_INT16(loc, val) \
	54	do { \
	55	memcpy(loc, (u_char *)&val, sizeof(u_int16_t));\
	56	loc += sizeof(u_int16_t); \
	57	}while(0)
	58
	59	#define ADD_U_INT32(loc, val) \
	60	do { \
	61	memcpy(loc, (u_char *)&val, sizeof(u_int32_t));\
	62	loc += sizeof(u_int32_t); \
	63	}while(0)
	64
	65	#define ADD_U_INT64(loc, val)\
	66	do {\
	67	memcpy(loc, (u_char *)&val, sizeof(u_int64_t));\
	68	loc += sizeof(u_int64_t); \
	69	}while(0)
	70
	71	#define ADD_MEM(loc, data, size) \
	72	do { \
	73	memcpy(loc, data, size);\
	74	loc += size;\
	75	}while(0)
	76
	77	#define ADD_STRING(loc, data, size) ADD_MEM(loc, data, size)
	78
	79
	80	/* Various token id types */
	81
	82	/*
	83	* Values inside the comments are not documented in the BSM pages and
	84	* have been picked up from the header files
	85	*/
	86
	87	/*
	88	* Values marked as XXX do not have a value defined in the BSM header files
	89	*/
	90
	91	/*
	92	* Control token types
	93
	94	#define AUT_OTHER_FILE ((char)0x11)
	95	#define AUT_OTHER_FILE32 AUT_OTHER_FILE
96	#define AUT_OHEADER ((char)0x12)
97
98	*/
99
100	#define AUT_INVALID 0x00
101	#define AU_FILE_TOKEN 0x11
102	#define AU_TRAILER_TOKEN 0x13
103	#define AU_HEADER_32_TOKEN 0x14
104	#define AU_HEADER_EX_32_TOKEN 0x15
105
55e303ae A	106	/*
	107	* Data token types
	108	#define AUT_SERVER ((char)0x25)
	109	#define AUT_SERVER32 AUT_SERVER
	110	*/
	111
	112	#define AU_DATA_TOKEN 0x21
	113	#define AU_ARB_TOKEN AU_DATA_TOKEN
	114	#define AU_IPC_TOKEN 0x22
	115	#define AU_PATH_TOKEN 0x23
	116	#define AU_SUBJECT_32_TOKEN 0x24
	117	#define AU_PROCESS_32_TOKEN 0x26
	118	#define AU_RETURN_32_TOKEN 0x27
	119	#define AU_TEXT_TOKEN 0x28
	120	#define AU_OPAQUE_TOKEN 0x29
	121	#define AU_IN_ADDR_TOKEN 0x2A
	122	#define AU_IP_TOKEN 0x2B
	123	#define AU_IPORT_TOKEN 0x2C
	124	#define AU_ARG32_TOKEN 0x2D
	125	#define AU_SOCK_TOKEN 0x2E
	126	#define AU_SEQ_TOKEN 0x2F
	127
	128	/*
	129	* Modifier token types
	130
	131	#define AUT_ACL ((char)0x30)
	132	#define AUT_LABEL ((char)0x33)
	133	#define AUT_GROUPS ((char)0x34)
	134	#define AUT_ILABEL ((char)0x35)
	135	#define AUT_SLABEL ((char)0x36)
	136	#define AUT_CLEAR ((char)0x37)
	137	#define AUT_PRIV ((char)0x38)
	138	#define AUT_UPRIV ((char)0x39)
	139	#define AUT_LIAISON ((char)0x3A)
	140
	141	*/
	142
	143	#define AU_ATTR_TOKEN 0x31
	144	#define AU_IPCPERM_TOKEN 0x32
	145	#define AU_NEWGROUPS_TOKEN 0x3B
	146	#define AU_EXEC_ARG_TOKEN 0x3C
	147	#define AU_EXEC_ENV_TOKEN 0x3D
	148	#define AU_ATTR32_TOKEN 0x3E
	149
55e303ae A	150	/*
	151	* Command token types
	152	*/
	153
	154	#define AU_CMD_TOKEN 0x51
	155	#define AU_EXIT_TOKEN 0x52
	156
55e303ae A	157	/*
	158	* Miscellaneous token types
	159
	160	#define AUT_HOST ((char)0x70)
	161
	162	*/
	163
	164	/*
	165	* 64bit token types
	166
	167	#define AUT_SERVER64 ((char)0x76)
	168	#define AUT_OTHER_FILE64 ((char)0x78)
	169
	170	*/
	171
	172	#define AU_ARG64_TOKEN 0x71
	173	#define AU_RETURN_64_TOKEN 0x72
	174	#define AU_ATTR64_TOKEN 0x73
	175	#define AU_HEADER_64_TOKEN 0x74
	176	#define AU_SUBJECT_64_TOKEN 0x75
	177	#define AU_PROCESS_64_TOKEN 0x77
	178
55e303ae A	179	/*
	180	* Extended network address token types
	181	*/
	182
	183	#define AU_HEADER_EX_64_TOKEN 0x79
	184	#define AU_SUBJECT_32_EX_TOKEN 0x7a
	185	#define AU_PROCESS_32_EX_TOKEN 0x7b
	186	#define AU_SUBJECT_64_EX_TOKEN 0x7c
	187	#define AU_PROCESS_64_EX_TOKEN 0x7d
e5568f75	188	#define AU_IN_ADDR_EX_TOKEN 0x7e
55e303ae A	189	#define AU_SOCK_EX32_TOKEN 0x7f
	190	#define AU_SOCK_EX128_TOKEN AUT_INVALID /XXX/
	191	#define AU_IP_EX_TOKEN AUT_INVALID /XXX/
	192
55e303ae	193	/*
e5568f75	194	* The values for the following token ids are not
55e303ae A	195	* defined by BSM
	196	*/
	197	#define AU_SOCK_INET_32_TOKEN 0x80 /XXX/
	198	#define AU_SOCK_INET_128_TOKEN 0x81 /XXX/
	199	#define AU_SOCK_UNIX_TOKEN 0x82 /XXX/
	200
	201	/* print values for the arbitrary token */
	202	#define AUP_BINARY 0
	203	#define AUP_OCTAL 1
	204	#define AUP_DECIMAL 2
	205	#define AUP_HEX 3
	206	#define AUP_STRING 4
	207
55e303ae A	208	/* data-types for the arbitrary token */
	209	#define AUR_BYTE 0
	210	#define AUR_SHORT 1
	211	#define AUR_LONG 2
	212
	213	/* ... and their sizes */
	214	#define AUR_BYTE_SIZE sizeof(u_char)
	215	#define AUR_SHORT_SIZE sizeof(u_int16_t)
	216	#define AUR_LONG_SIZE sizeof(u_int32_t)
	217
	218	/* Modifiers for the header token */
	219	#define PAD_NOTATTR 0x4000 /* nonattributable event */
	220	#define PAD_FAILURE 0x8000 /* fail audit event */
	221
	222
	223	#define MAX_GROUPS 16
	224	#define HEADER_VERSION 1
	225	#define TRAILER_PAD_MAGIC 0xB105
	226
	227	/* BSM library calls */
	228
e5568f75 A	229	__BEGIN_DECLS
e5568f75 A	230
55e303ae A	231	int au_open(void);
	232	int au_write(int d, token_t *m);
	233	int au_close(int d, int keep, short event);
	234	token_t au_to_file(char file);
	235	token_t *au_to_header(int rec_size, au_event_t e_type,
	236	au_emod_t e_mod);
	237	token_t *au_to_header32(int rec_size, au_event_t e_type,
	238	au_emod_t e_mod);
	239	token_t *au_to_header64(int rec_size, au_event_t e_type,
	240	au_emod_t e_mod);
	241	token_t *au_to_me(void);
	242
	243	token_t au_to_arg(char n, char text, u_int32_t v);
	244	token_t au_to_arg32(char n, char text, u_int32_t v);
	245	token_t au_to_arg64(char n, char text, u_int64_t v);
	246	token_t au_to_attr(struct vattr attr);
	247	token_t au_to_attr32(struct vattr attr);
	248	token_t au_to_attr64(struct vattr attr);
	249	token_t *au_to_data(char unit_print, char unit_type,
	250	char unit_count, char *p);
	251	token_t *au_to_exit(int retval, int err);
	252	token_t au_to_groups(int groups);
	253	token_t au_to_newgroups(u_int16_t n, gid_t groups);
	254	token_t au_to_in_addr(struct in_addr internet_addr);
	255	token_t au_to_in_addr_ex(struct in6_addr internet_addr);
	256	token_t au_to_ip(struct ip ip);
	257	token_t *au_to_ipc(char type, int id);
	258	token_t au_to_ipc_perm(struct ipc_perm perm);
	259	token_t *au_to_iport(u_int16_t iport);
	260	token_t au_to_opaque(char data, u_int16_t bytes);
	261	token_t au_to_path(char path);
	262	token_t *au_to_process(au_id_t auid, uid_t euid, gid_t egid,
	263	uid_t ruid, gid_t rgid, pid_t pid,
	264	au_asid_t sid, au_tid_t *tid);
	265	token_t *au_to_process32(au_id_t auid, uid_t euid, gid_t egid,
	266	uid_t ruid, gid_t rgid, pid_t pid,
	267	au_asid_t sid, au_tid_t *tid);
	268	token_t *au_to_process64(au_id_t auid, uid_t euid, gid_t egid,
	269	uid_t ruid, gid_t rgid, pid_t pid,
	270	au_asid_t sid, au_tid_t *tid);
	271	token_t *au_to_process_ex(au_id_t auid, uid_t euid,
	272	gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
	273	au_asid_t sid, au_tid_addr_t *tid);
	274	token_t *au_to_process32_ex(au_id_t auid, uid_t euid,
	275	gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
	276	au_asid_t sid, au_tid_addr_t *tid);
	277	token_t *au_to_process64_ex(au_id_t auid, uid_t euid,
	278	gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
	279	au_asid_t sid, au_tid_addr_t *tid);
	280	token_t *au_to_return(char status, u_int32_t ret);
	281	token_t *au_to_return32(char status, u_int32_t ret);
	282	token_t *au_to_return64(char status, u_int64_t ret);
	283	token_t *au_to_seq(long audit_count);
	284	token_t au_to_socket(struct socket so);
e5568f75 A	285	token_t *au_to_socket_ex_32(u_int16_t lp, u_int16_t rp,
	286	struct sockaddr la, struct sockaddr ta);
	287	token_t *au_to_socket_ex_128(u_int16_t lp, u_int16_t rp,
	288	struct sockaddr la, struct sockaddr ta);
55e303ae A	289	token_t au_to_sock_inet(struct sockaddr_in so);
	290	token_t au_to_sock_inet32(struct sockaddr_in so);
	291	token_t au_to_sock_inet128(struct sockaddr_in6 so);
	292	token_t au_to_sock_unix(struct sockaddr_un so);
	293	token_t *au_to_subject(au_id_t auid, uid_t euid, gid_t egid,
	294	uid_t ruid, gid_t rgid, pid_t pid,
	295	au_asid_t sid, au_tid_t *tid);
	296	token_t *au_to_subject32(au_id_t auid, uid_t euid, gid_t egid,
	297	uid_t ruid, gid_t rgid, pid_t pid,
	298	au_asid_t sid, au_tid_t *tid);
	299	token_t *au_to_subject64(au_id_t auid, uid_t euid, gid_t egid,
	300	uid_t ruid, gid_t rgid, pid_t pid,
	301	au_asid_t sid, au_tid_t *tid);
	302	token_t *au_to_subject_ex(au_id_t auid, uid_t euid,
	303	gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
	304	au_asid_t sid, au_tid_addr_t *tid);
	305	token_t *au_to_subject32_ex(au_id_t auid, uid_t euid,
	306	gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
	307	au_asid_t sid, au_tid_addr_t *tid);
	308	token_t *au_to_subject64_ex(au_id_t auid, uid_t euid,
	309	gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
	310	au_asid_t sid, au_tid_addr_t *tid);
	311	token_t au_to_exec_args(const char *);
	312	token_t au_to_exec_env(const char *);
	313	token_t au_to_text(char text);
e5568f75	314	token_t au_to_kevent(struct kevent kev);
55e303ae A	315	token_t *au_to_trailer(int rec_size);
55e303ae A	316
e5568f75 A	317	__END_DECLS
	318
	319	#endif /* ! _BSM_AUDIT_RECORD_H_ */