]> git.saurik.com Git - apple/xnu.git/blame_incremental - bsd/bsm/audit_kernel.h
projects / apple / xnu.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
xnu-792.6.76.tar.gz
[apple/xnu.git] / bsd / bsm / audit_kernel.h
... / ...
CommitLineData
1/*
2 * @APPLE_LICENSE_HEADER_START@
3 *
4 * Copyright (c) 1999-2004 Apple Computer, Inc. All Rights Reserved.
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24#ifndef _BSM_AUDIT_KERNEL_H
25#define _BSM_AUDIT_KERNEL_H
26
27#ifdef KERNEL
28
29#include <bsm/audit.h>
30
31#include <sys/sysctl.h>
32#include <sys/user.h>
33#include <sys/ipc.h>
34
35/*
36 * Audit subsystem condition flags. The audit_enabled flag is set and
37 * removed automatically as a result of configuring log files, and
38 * can be observed but should not be directly manipulated. The audit
39 * suspension flag permits audit to be temporarily disabled without
40 * reconfiguring the audit target.
41 */
42extern int audit_enabled;
43extern int audit_suspended;
44
45#define BSM_SUCCESS 0
46#define BSM_FAILURE 1
47#define BSM_NOAUDIT 2
48
49/*
50 * Define the masks for the audited arguments.
51 */
52#define ARG_EUID 0x0000000000000001ULL
53#define ARG_RUID 0x0000000000000002ULL
54#define ARG_SUID 0x0000000000000004ULL
55#define ARG_EGID 0x0000000000000008ULL
56#define ARG_RGID 0x0000000000000010ULL
57#define ARG_SGID 0x0000000000000020ULL
58#define ARG_PID 0x0000000000000040ULL
59#define ARG_UID 0x0000000000000080ULL
60#define ARG_AUID 0x0000000000000100ULL
61#define ARG_GID 0x0000000000000200ULL
62#define ARG_FD 0x0000000000000400ULL
63#define ARG_POSIX_IPC_PERM 0x0000000000000800ULL
64#define ARG_FFLAGS 0x0000000000001000ULL
65#define ARG_MODE 0x0000000000002000ULL
66#define ARG_DEV 0x0000000000004000ULL
67#define ARG_ADDR 0x0000000000008000ULL
68#define ARG_LEN 0x0000000000010000ULL
69#define ARG_MASK 0x0000000000020000ULL
70#define ARG_SIGNUM 0x0000000000040000ULL
71#define ARG_LOGIN 0x0000000000080000ULL
72#define ARG_SADDRINET 0x0000000000100000ULL
73#define ARG_SADDRINET6 0x0000000000200000ULL
74#define ARG_SADDRUNIX 0x0000000000400000ULL
75#define ARG_KPATH1 0x0000000000800000ULL
76#define ARG_KPATH2 0x0000000001000000ULL
77#define ARG_UPATH1 0x0000000002000000ULL
78#define ARG_UPATH2 0x0000000004000000ULL
79#define ARG_TEXT 0x0000000008000000ULL
80#define ARG_VNODE1 0x0000000010000000ULL
81#define ARG_VNODE2 0x0000000020000000ULL
82#define ARG_SVIPC_CMD 0x0000000040000000ULL
83#define ARG_SVIPC_PERM 0x0000000080000000ULL
84#define ARG_SVIPC_ID 0x0000000100000000ULL
85#define ARG_SVIPC_ADDR 0x0000000200000000ULL
86#define ARG_GROUPSET 0x0000000400000000ULL
87#define ARG_CMD 0x0000000800000000ULL
88#define ARG_SOCKINFO 0x0000001000000000ULL
89#define ARG_ASID 0x0000002000000000ULL
90#define ARG_TERMID 0x0000004000000000ULL
91#define ARG_AUDITON 0x0000008000000000ULL
92#define ARG_VALUE 0x0000010000000000ULL
93#define ARG_AMASK 0x0000020000000000ULL
94#define ARG_CTLNAME 0x0000040000000000ULL
95#define ARG_PROCESS 0x0000080000000000ULL
96#define ARG_MACHPORT1 0x0000100000000000ULL
97#define ARG_MACHPORT2 0x0000200000000000ULL
98#define ARG_NONE 0x0000000000000000ULL
99#define ARG_ALL 0xFFFFFFFFFFFFFFFFULL
100
101/* Defines for the kernel audit record k_ar_commit field */
102#define AR_COMMIT_KERNEL 0x00000001U
103#define AR_COMMIT_USER 0x00000010U
104
105struct vnode_au_info {
106 mode_t vn_mode;
107 uid_t vn_uid;
108 gid_t vn_gid;
109 dev_t vn_dev;
110 long vn_fsid;
111 long vn_fileid;
112 long vn_gen;
113};
114
115struct groupset {
116 gid_t gidset[NGROUPS];
117 u_int gidset_size;
118};
119
120struct socket_au_info {
121 int so_domain;
122 int so_type;
123 int so_protocol;
124 in_addr_t so_raddr; /* remote address if INET socket */
125 in_addr_t so_laddr; /* local address if INET socket */
126 u_short so_rport; /* remote port */
127 u_short so_lport; /* local port */
128};
129
130union auditon_udata {
131 char au_path[MAXPATHLEN];
132 long au_cond;
133 long au_flags;
134 long au_policy;
135 au_evclass_map_t au_evclass;
136 au_mask_t au_mask;
137 auditinfo_t au_auinfo;
138 auditpinfo_t au_aupinfo;
139 auditpinfo_addr_t au_aupinfo_addr;
140 au_qctrl_t au_qctrl;
141 au_stat_t au_stat;
142 au_fstat_t au_fstat;
143};
144
145struct posix_ipc_perm {
146 uid_t pipc_uid;
147 gid_t pipc_gid;
148 mode_t pipc_mode;
149};
150
151struct audit_record {
152 /* Audit record header. */
153 u_int32_t ar_magic;
154 int ar_event;
155 int ar_retval; /* value returned to the process */
156 int ar_errno; /* return status of system call */
157 struct timespec ar_starttime;
158 struct timespec ar_endtime;
159 u_int64_t ar_valid_arg; /* Bitmask of valid arguments */
160
161 /* Audit subject information. */
162 struct xucred ar_subj_cred;
163 uid_t ar_subj_ruid;
164 gid_t ar_subj_rgid;
165 gid_t ar_subj_egid;
166 uid_t ar_subj_auid; /* Audit user ID */
167 pid_t ar_subj_asid; /* Audit session ID */
168 pid_t ar_subj_pid;
169 struct au_tid ar_subj_term;
170 char ar_subj_comm[MAXCOMLEN + 1];
171 struct au_mask ar_subj_amask;
172
173 /* Operation arguments. */
174 uid_t ar_arg_euid;
175 uid_t ar_arg_ruid;
176 uid_t ar_arg_suid;
177 gid_t ar_arg_egid;
178 gid_t ar_arg_rgid;
179 gid_t ar_arg_sgid;
180 pid_t ar_arg_pid;
181 pid_t ar_arg_asid;
182 struct au_tid ar_arg_termid;
183 uid_t ar_arg_uid;
184 uid_t ar_arg_auid;
185 gid_t ar_arg_gid;
186 struct groupset ar_arg_groups;
187 int ar_arg_fd;
188 int ar_arg_fflags;
189 mode_t ar_arg_mode;
190 int ar_arg_dev;
191 long ar_arg_value;
192 void * ar_arg_addr;
193 int ar_arg_len;
194 int ar_arg_mask;
195 u_int ar_arg_signum;
196 char ar_arg_login[MAXLOGNAME];
197 int ar_arg_ctlname[CTL_MAXNAME];
198 struct sockaddr ar_arg_sockaddr;
199 struct socket_au_info ar_arg_sockinfo;
200 char *ar_arg_upath1;
201 char *ar_arg_upath2;
202 char *ar_arg_kpath1;
203 char *ar_arg_kpath2;
204 char *ar_arg_text;
205 struct au_mask ar_arg_amask;
206 struct vnode_au_info ar_arg_vnode1;
207 struct vnode_au_info ar_arg_vnode2;
208 int ar_arg_cmd;
209 int ar_arg_svipc_cmd;
210 struct ipc_perm ar_arg_svipc_perm;
211 int ar_arg_svipc_id;
212 void * ar_arg_svipc_addr;
213 struct posix_ipc_perm ar_arg_pipc_perm;
214 mach_port_name_t ar_arg_mach_port1;
215 mach_port_name_t ar_arg_mach_port2;
216 union auditon_udata ar_arg_auditon;
217};
218
219/*
220 * In-kernel version of audit record; the basic record plus queue meta-data.
221 * This record can also have a pointer set to some opaque data that will
222 * be passed through to the audit writing mechanism.
223 */
224struct kaudit_record {
225 struct audit_record k_ar;
226 u_int32_t k_ar_commit;
227 void *k_udata; /* user data */
228 u_int k_ulen; /* user data length */
229 struct uthread *k_uthread; /* thread we are auditing */
230 TAILQ_ENTRY(kaudit_record) k_q;
231};
232
233struct proc;
234struct vnode;
235struct componentname;
236
237void audit_abort(struct kaudit_record *ar);
238void audit_commit(struct kaudit_record *ar, int error,
239 int retval);
240void audit_init(void);
241void audit_shutdown(void);
242
243struct kaudit_record *audit_new(int event, struct proc *p,
244 struct uthread *uthread);
245
246void audit_syscall_enter(unsigned short code,
247 struct proc *proc, struct uthread *uthread);
248void audit_syscall_exit(int error, struct proc *proc,
249 struct uthread *uthread);
250void audit_mach_syscall_enter(unsigned short audit_event);
251void audit_mach_syscall_exit(int retval,
252 struct uthread *uthread);
253
254int kaudit_to_bsm(struct kaudit_record *kar,
255 struct au_record **pau);
256
257int bsm_rec_verify(void *rec);
258
259/*
260 * Kernel versions of the BSM audit record functions.
261 */
262struct au_record *kau_open(void);
263int kau_write(struct au_record *rec, token_t *m);
264int kau_close(struct au_record *rec,
265 struct timespec *endtime, short event);
266void kau_free(struct au_record *rec);
267void kau_init(void);
268token_t *kau_to_file(const char *file, const struct timeval *tv);
269token_t *kau_to_header(const struct timespec *ctime, int rec_size,
270 au_event_t e_type, au_emod_t e_mod);
271token_t *kau_to_header32(const struct timespec *ctime, int rec_size,
272 au_event_t e_type, au_emod_t e_mod);
273token_t *kau_to_header64(const struct timespec *ctime, int rec_size,
274 au_event_t e_type, au_emod_t e_mod);
275/*
276 * The remaining kernel functions are conditionally compiled in as they
277 * are wrapped by a macro, and the macro should be the only place in
278 * the source tree where these functions are referenced.
279 */
280#ifdef AUDIT
281void audit_arg_addr(user_addr_t addr);
282void audit_arg_len(user_size_t len);
283void audit_arg_fd(int fd);
284void audit_arg_fflags(int fflags);
285void audit_arg_gid(gid_t gid, gid_t egid, gid_t rgid,
286 gid_t sgid);
287void audit_arg_uid(uid_t uid, uid_t euid, uid_t ruid,
288 uid_t suid);
289void audit_arg_groupset(const gid_t *gidset, u_int gidset_size);
290void audit_arg_login(const char *login);
291void audit_arg_ctlname(const int *name, int namelen);
292void audit_arg_mask(int mask);
293void audit_arg_mode(mode_t mode);
294void audit_arg_dev(int dev);
295void audit_arg_value(long value);
296void audit_arg_owner(uid_t uid, gid_t gid);
297void audit_arg_pid(pid_t pid);
298void audit_arg_process(struct proc *p);
299void audit_arg_signum(u_int signum);
300void audit_arg_socket(int sodomain, int sotype,
301 int soprotocol);
302void audit_arg_sockaddr(struct proc *p,
303 struct sockaddr *so);
304void audit_arg_auid(uid_t auid);
305void audit_arg_auditinfo(const struct auditinfo *au_info);
306void audit_arg_upath(struct proc *p, char *upath,
307 u_int64_t flags);
308void audit_arg_vnpath(struct vnode *vp, u_int64_t flags);
309void audit_arg_vnpath_withref(struct vnode *vp, u_int64_t flags);
310void audit_arg_text(const char *text);
311void audit_arg_cmd(int cmd);
312void audit_arg_svipc_cmd(int cmd);
313void audit_arg_svipc_perm(const struct ipc_perm *perm);
314void audit_arg_svipc_id(int id);
315void audit_arg_svipc_addr(void *addr);
316void audit_arg_posix_ipc_perm(uid_t uid, gid_t gid,
317 mode_t mode);
318void audit_arg_auditon(const union auditon_udata *udata);
319void audit_arg_file(struct proc *p, const struct fileproc *fp);
320void audit_arg_mach_port1(mach_port_name_t port);
321void audit_arg_mach_port2(mach_port_name_t port);
322
323void audit_sysclose(struct proc *p, int fd);
324
325void audit_proc_init(struct proc *p);
326void audit_proc_fork(struct proc *parent,
327 struct proc *child);
328void audit_proc_free(struct proc *p);
329
330/*
331 * Define a macro to wrap the audit_arg_* calls by checking the global
332 * audit_enabled flag before performing the actual call.
333 */
334#define AUDIT_ARG(op, args...) do { \
335 if (audit_enabled) \
336 audit_arg_ ## op (args); \
337 } while (0)
338
339#define AUDIT_SYSCALL_ENTER(args...) do { \
340 if (audit_enabled) { \
341 audit_syscall_enter(args); \
342 } \
343 } while (0)
344
345/*
346 * Wrap the audit_syscall_exit() function so that it is called only when
347 * auditing is enabled, or we have a audit record on the thread. It is
348 * possible that an audit record was begun before auditing was turned off.
349 */
350#define AUDIT_SYSCALL_EXIT(error, proc, uthread) do { \
351 if (audit_enabled || (uthread->uu_ar != NULL)) { \
352 audit_syscall_exit(error, proc, uthread); \
353 } \
354 } while (0)
355
356/*
357 * Wrap the audit_mach_syscall_enter() and audit_mach_syscall_exit()
358 * functions in a manner similar to other system call enter/exit functions.
359 */
360#define AUDIT_MACH_SYSCALL_ENTER(args...) do { \
361 if (audit_enabled) { \
362 audit_mach_syscall_enter(args); \
363 } \
364 } while (0)
365
366#define AUDIT_MACH_SYSCALL_EXIT(retval) do { \
367 struct uthread *__uthread = get_bsdthread_info(current_thread()); \
368 if (audit_enabled || (__uthread->uu_ar != NULL)) { \
369 audit_mach_syscall_exit(retval, __uthread); \
370 } \
371 } while (0)
372
373/*
374 * A Macro to wrap the audit_sysclose() function.
375 */
376#define AUDIT_SYSCLOSE(args...) do { \
377 if (audit_enabled) \
378 audit_sysclose(args); \
379 } while (0)
380
381#else /* !AUDIT */
382#define AUDIT_SYSCALL_ENTER(args...) do { \
383 } while (0)
384
385#define AUDIT_SYSCALL_EXIT(error, proc, uthread) do { \
386 } while (0)
387
388#define AUDIT_MACH_SYSCALL_ENTER(args...) do { \
389 } while (0)
390
391#define AUDIT_MACH_SYSCALL_EXIT(retval) do { \
392 } while (0)
393
394#define AUDIT_SYSCLOSE(op, args...) do { \
395 } while (0)
396
397#endif /* AUDIT */
398
399#endif /* KERNEL */
400
401#endif /* !_BSM_AUDIT_KERNEL_H */
mirror of XNU