]>
Commit | Line | Data |
---|---|---|
1 | /* | |
2 | * Copyright (c) 2003 Apple Computer, Inc. All rights reserved. | |
3 | * | |
4 | * @APPLE_LICENSE_HEADER_START@ | |
5 | * | |
6 | * Copyright (c) 1999-2003 Apple Computer, Inc. All Rights Reserved. | |
7 | * | |
8 | * This file contains Original Code and/or Modifications of Original Code | |
9 | * as defined in and that are subject to the Apple Public Source License | |
10 | * Version 2.0 (the 'License'). You may not use this file except in | |
11 | * compliance with the License. Please obtain a copy of the License at | |
12 | * http://www.opensource.apple.com/apsl/ and read it before using this | |
13 | * file. | |
14 | * | |
15 | * The Original Code and all software distributed under the License are | |
16 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER | |
17 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, | |
18 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, | |
19 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. | |
20 | * Please see the License for the specific language governing rights and | |
21 | * limitations under the License. | |
22 | * | |
23 | * @APPLE_LICENSE_HEADER_END@ | |
24 | */ | |
25 | ||
26 | #ifndef _SYS_KERN_AUDIT_H | |
27 | #define _SYS_KERN_AUDIT_H | |
28 | ||
29 | #ifdef KERNEL | |
30 | ||
31 | /* | |
32 | * Audit subsystem condition flags. The audit_enabled flag is set and | |
33 | * removed automatically as a result of configuring log files, and | |
34 | * can be observed but should not be directly manipulated. The audit | |
35 | * suspension flag permits audit to be temporarily disabled without | |
36 | * reconfiguring the audit target. | |
37 | */ | |
38 | extern int audit_enabled; | |
39 | extern int audit_suspended; | |
40 | ||
41 | #define BSM_SUCCESS 0 | |
42 | #define BSM_FAILURE 1 | |
43 | #define BSM_NOAUDIT 2 | |
44 | ||
45 | /* | |
46 | * Define the masks for the audited arguments. | |
47 | */ | |
48 | #define ARG_EUID 0x0000000000000001ULL | |
49 | #define ARG_RUID 0x0000000000000002ULL | |
50 | #define ARG_SUID 0x0000000000000004ULL | |
51 | #define ARG_EGID 0x0000000000000008ULL | |
52 | #define ARG_RGID 0x0000000000000010ULL | |
53 | #define ARG_SGID 0x0000000000000020ULL | |
54 | #define ARG_PID 0x0000000000000040ULL | |
55 | #define ARG_UID 0x0000000000000080ULL | |
56 | #define ARG_AUID 0x0000000000000100ULL | |
57 | #define ARG_GID 0x0000000000000200ULL | |
58 | #define ARG_FD 0x0000000000000400ULL | |
59 | #define UNUSED 0x0000000000000800ULL | |
60 | #define ARG_FFLAGS 0x0000000000001000ULL | |
61 | #define ARG_MODE 0x0000000000002000ULL | |
62 | #define ARG_DEV 0x0000000000004000ULL | |
63 | #define ARG_ACCMODE 0x0000000000008000ULL | |
64 | #define ARG_CMODE 0x0000000000010000ULL | |
65 | #define ARG_MASK 0x0000000000020000ULL | |
66 | #define ARG_SIGNUM 0x0000000000040000ULL | |
67 | #define ARG_LOGIN 0x0000000000080000ULL | |
68 | #define ARG_SADDRINET 0x0000000000100000ULL | |
69 | #define ARG_SADDRINET6 0x0000000000200000ULL | |
70 | #define ARG_SADDRUNIX 0x0000000000400000ULL | |
71 | #define ARG_KPATH1 0x0000000000800000ULL | |
72 | #define ARG_KPATH2 0x0000000001000000ULL | |
73 | #define ARG_UPATH1 0x0000000002000000ULL | |
74 | #define ARG_UPATH2 0x0000000004000000ULL | |
75 | #define ARG_TEXT 0x0000000008000000ULL | |
76 | #define ARG_VNODE1 0x0000000010000000ULL | |
77 | #define ARG_VNODE2 0x0000000020000000ULL | |
78 | #define ARG_SVIPC_CMD 0x0000000040000000ULL | |
79 | #define ARG_SVIPC_PERM 0x0000000080000000ULL | |
80 | #define ARG_SVIPC_ID 0x0000000100000000ULL | |
81 | #define ARG_SVIPC_ADDR 0x0000000200000000ULL | |
82 | #define ARG_GROUPSET 0x0000000400000000ULL | |
83 | #define ARG_CMD 0x0000000800000000ULL | |
84 | #define ARG_SOCKINFO 0x0000001000000000ULL | |
85 | #define ARG_NONE 0x0000000000000000ULL | |
86 | #define ARG_ALL 0xFFFFFFFFFFFFFFFFULL | |
87 | ||
88 | struct vnode_au_info { | |
89 | mode_t vn_mode; | |
90 | uid_t vn_uid; | |
91 | gid_t vn_gid; | |
92 | dev_t vn_dev; | |
93 | long vn_fsid; | |
94 | long vn_fileid; | |
95 | long vn_gen; | |
96 | }; | |
97 | ||
98 | struct groupset { | |
99 | gid_t gidset[NGROUPS]; | |
100 | u_int gidset_size; | |
101 | }; | |
102 | ||
103 | struct socket_info { | |
104 | int sodomain; | |
105 | int sotype; | |
106 | int soprotocol; | |
107 | }; | |
108 | ||
109 | struct audit_record { | |
110 | /* Audit record header. */ | |
111 | u_int32_t ar_magic; | |
112 | int ar_event; | |
113 | int ar_retval; /* value returned to the process */ | |
114 | int ar_errno; /* return status of system call */ | |
115 | struct timespec ar_starttime; | |
116 | struct timespec ar_endtime; | |
117 | u_int64_t ar_valid_arg; /* Bitmask of valid arguments */ | |
118 | ||
119 | /* Audit subject information. */ | |
120 | struct xucred ar_subj_cred; | |
121 | uid_t ar_subj_ruid; | |
122 | gid_t ar_subj_rgid; | |
123 | gid_t ar_subj_egid; | |
124 | uid_t ar_subj_auid; /* Audit user ID */ | |
125 | pid_t ar_subj_asid; /* Audit session ID */ | |
126 | pid_t ar_subj_pid; | |
127 | struct au_tid ar_subj_term; | |
128 | char ar_subj_comm[MAXCOMLEN + 1]; | |
129 | struct au_mask ar_subj_amask; | |
130 | ||
131 | /* Operation arguments. */ | |
132 | uid_t ar_arg_euid; | |
133 | uid_t ar_arg_ruid; | |
134 | uid_t ar_arg_suid; | |
135 | gid_t ar_arg_egid; | |
136 | gid_t ar_arg_rgid; | |
137 | gid_t ar_arg_sgid; | |
138 | pid_t ar_arg_pid; | |
139 | uid_t ar_arg_uid; | |
140 | uid_t ar_arg_auid; | |
141 | gid_t ar_arg_gid; | |
142 | struct groupset ar_arg_groups; | |
143 | int ar_arg_fd; | |
144 | int ar_arg_fflags; | |
145 | mode_t ar_arg_mode; | |
146 | int ar_arg_dev; | |
147 | int ar_arg_accmode; | |
148 | int ar_arg_cmode; | |
149 | int ar_arg_mask; | |
150 | u_int ar_arg_signum; | |
151 | char ar_arg_login[MAXLOGNAME]; | |
152 | struct sockaddr ar_arg_sockaddr; | |
153 | struct socket_info ar_arg_sockinfo; | |
154 | char *ar_arg_upath1; | |
155 | char *ar_arg_upath2; | |
156 | char *ar_arg_kpath1; | |
157 | char *ar_arg_kpath2; | |
158 | char *ar_arg_text; | |
159 | struct au_mask ar_arg_amask; | |
160 | struct vnode_au_info ar_arg_vnode1; | |
161 | struct vnode_au_info ar_arg_vnode2; | |
162 | int ar_arg_cmd; | |
163 | int ar_arg_svipc_cmd; | |
164 | struct ipc_perm ar_arg_svipc_perm; | |
165 | int ar_arg_svipc_id; | |
166 | void * ar_arg_svipc_addr; | |
167 | }; | |
168 | ||
169 | /* | |
170 | * In-kernel version of audit record; the basic record plus queue meta-data. | |
171 | * This record can also have a pointer set to some opaque data that will | |
172 | * be passed through to the audit writing mechanism. | |
173 | */ | |
174 | struct kaudit_record { | |
175 | struct audit_record k_ar; | |
176 | caddr_t k_udata; /* user data */ | |
177 | u_int k_ulen; /* user data length */ | |
178 | struct uthread *k_uthread; /* thread we are auditing */ | |
179 | TAILQ_ENTRY(kaudit_record) k_q; | |
180 | }; | |
181 | ||
182 | struct proc; | |
183 | struct vnode; | |
184 | struct componentname; | |
185 | ||
186 | void audit_abort(struct kaudit_record *ar); | |
187 | void audit_commit(struct kaudit_record *ar, int error, | |
188 | int retval); | |
189 | void audit_init(void); | |
190 | void audit_shutdown(void); | |
191 | ||
192 | struct kaudit_record *audit_new(int event, struct proc *p, | |
193 | struct uthread *uthread); | |
194 | ||
195 | void audit_syscall_enter(unsigned short code, struct proc *proc, struct uthread *uthread); | |
196 | void audit_syscall_exit(int error, struct proc *proc, | |
197 | struct uthread *uthread); | |
198 | ||
199 | int kaudit_to_bsm(struct kaudit_record *kar, | |
200 | struct au_record **pau); | |
201 | ||
202 | int bsm_rec_verify(caddr_t rec); | |
203 | ||
204 | /* | |
205 | * Kernel versions of the BSM audit record functions. | |
206 | */ | |
207 | struct au_record *kau_open(void); | |
208 | int kau_write(struct au_record *rec, token_t *m); | |
209 | int kau_close(struct au_record *rec, | |
210 | struct timespec *endtime, short event); | |
211 | void kau_free(struct au_record *rec); | |
212 | void kau_init(void); | |
213 | token_t *kau_to_file(char *file, struct timeval *tv); | |
214 | token_t *kau_to_header(struct timespec *ctime, int rec_size, | |
215 | au_event_t e_type, au_emod_t e_mod); | |
216 | token_t *kau_to_header32(struct timespec *ctime, int rec_size, | |
217 | au_event_t e_type, au_emod_t e_mod); | |
218 | token_t *kau_to_header64(struct timespec *ctime, int rec_size, | |
219 | au_event_t e_type, au_emod_t e_mod); | |
220 | /* | |
221 | * The remaining kernel functions are conditionally compiled in as they | |
222 | * are wrapped by a macro, and the macro should be the only place in | |
223 | * the source tree where these functions are referenced. | |
224 | */ | |
225 | #ifdef AUDIT | |
226 | void audit_arg_accmode(int mode); | |
227 | void audit_arg_cmode(int cmode); | |
228 | void audit_arg_fd(int fd); | |
229 | void audit_arg_fflags(int fflags); | |
230 | void audit_arg_gid(gid_t gid, gid_t egid, gid_t rgid, | |
231 | gid_t sgid); | |
232 | void audit_arg_uid(uid_t uid, uid_t euid, uid_t ruid, | |
233 | uid_t suid); | |
234 | void audit_arg_groupset(gid_t *gidset, u_int gidset_size); | |
235 | void audit_arg_login(char[MAXLOGNAME]); | |
236 | void audit_arg_mask(int mask); | |
237 | void audit_arg_mode(mode_t mode); | |
238 | void audit_arg_dev(int dev); | |
239 | void audit_arg_owner(uid_t uid, gid_t gid); | |
240 | void audit_arg_pid(pid_t pid); | |
241 | void audit_arg_signum(u_int signum); | |
242 | void audit_arg_socket(int sodomain, int sotype, | |
243 | int soprotocol); | |
244 | void audit_arg_sockaddr(struct proc *p, | |
245 | struct sockaddr *so); | |
246 | void audit_arg_auid(uid_t auid); | |
247 | void audit_arg_upath(struct proc *p, char *upath, | |
248 | u_int64_t flags); | |
249 | void audit_arg_vnpath(struct vnode *vp, u_int64_t flags); | |
250 | void audit_arg_text(char *text); | |
251 | void audit_arg_cmd(int cmd); | |
252 | void audit_arg_svipc_cmd(int cmd); | |
253 | void audit_arg_svipc_perm(struct ipc_perm *perm); | |
254 | void audit_arg_svipc_id(int id); | |
255 | void audit_arg_svipc_addr(void *addr); | |
256 | ||
257 | void audit_proc_init(struct proc *p); | |
258 | void audit_proc_fork(struct proc *parent, | |
259 | struct proc *child); | |
260 | void audit_proc_free(struct proc *p); | |
261 | ||
262 | /* | |
263 | * Define a macro to wrap the audit_arg_* calls by checking the global | |
264 | * audit_enabled flag before performing the actual call. | |
265 | */ | |
266 | #define AUDIT_ARG(op, args...) do { \ | |
267 | if (audit_enabled) \ | |
268 | audit_arg_ ## op (args); \ | |
269 | } while (0) | |
270 | ||
271 | #define AUDIT_CMD(audit_cmd) do { \ | |
272 | if (audit_enabled) { \ | |
273 | audit_cmd; \ | |
274 | } \ | |
275 | } while (0) | |
276 | ||
277 | #else /* !AUDIT */ | |
278 | #define AUDIT_ARG(op, args...) do { \ | |
279 | } while (0) | |
280 | ||
281 | #define AUDIT_CMD(audit_cmd) do { \ | |
282 | } while (0) | |
283 | ||
284 | #endif /* AUDIT */ | |
285 | ||
286 | #endif /* KERNEL */ | |
287 | ||
288 | #endif /* !_SYS_KERN_AUDIT_H */ |