]> git.saurik.com Git - apple/xnu.git/blame_incremental - bsd/security/audit/audit_private.h
projects / apple / xnu.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
xnu-7195.101.1.tar.gz
[apple/xnu.git] / bsd / security / audit / audit_private.h
... / ...
CommitLineData
1/*-
2 * Copyright (c) 1999-2020 Apple Inc.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
14 * its contributors may be used to endorse or promote products derived
15 * from this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
28 */
29/*
30 * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce
31 * support for mandatory and extensible security protections. This notice
32 * is included in support of clause 2.2 (b) of the Apple Public License,
33 * Version 2.0.
34 */
35
36/*
37 * This include file contains function prototypes and type definitions used
38 * within the audit implementation.
39 */
40
41#ifndef _SECURITY_AUDIT_PRIVATE_H_
42#define _SECURITY_AUDIT_PRIVATE_H_
43
44#if defined(_KERNEL) || defined(KERNEL)
45
46#if CONFIG_MACF
47#include <sys/queue.h>
48#include <security/mac_framework.h>
49#endif
50
51#include <sys/ipc.h>
52#include <sys/proc_internal.h> /* for PID_MAX */
53#include <sys/socket.h>
54#include <sys/ucred.h>
55
56#ifdef MALLOC_DECLARE
57MALLOC_DECLARE(M_AUDITBSM);
58MALLOC_DECLARE(M_AUDITDATA);
59MALLOC_DECLARE(M_AUDITPATH);
60MALLOC_DECLARE(M_AUDITTEXT);
61#endif
62KALLOC_HEAP_DECLARE(KHEAP_AUDIT);
63#if CONFIG_AUDIT
64/*
65 * mac_audit_data_zone is the zone used for data pushed into the audit
66 * record by policies. Using a zone simplifies memory management of this
67 * data, and allows tracking of the amount of data in flight.
68 */
69extern zone_t mac_audit_data_zone;
70#endif
71
72/*
73 * Audit control variables that are usually set/read via system calls and
74 * used to control various aspects of auditing.
75 */
76extern struct au_qctrl audit_qctrl;
77extern struct audit_fstat audit_fstat;
78extern struct au_mask audit_nae_mask;
79extern int audit_panic_on_write_fail;
80extern int audit_fail_stop;
81extern int audit_argv;
82extern int audit_arge;
83extern au_ctlmode_t audit_ctl_mode;
84extern au_expire_after_t audit_expire_after;
85
86/*
87 * Kernel mask that is used to check to see if system calls need to be audited.
88 */
89extern au_class_t audit_kevent_mask;
90
91/*
92 * The macro used to check to see if the system calls need to be auditing.
93 * This will pessimisticly set the audit syscalls flag if the audit kevent
94 * mask has not been created yet. User code should build the event/class
95 * mapping table before setting preselection masks to avoid this.
96 */
97#define AUDIT_CHECK_IF_KEVENTS_MASK(m) do { \
98 if ((m).am_success || (m).am_failure) \
99 if (!audit_kevent_mask || \
100 (audit_kevent_mask & (m).am_success) || \
101 (audit_kevent_mask & (m).am_failure)) \
102 audit_syscalls = 1; \
103} while (0)
104
105/*
106 * Success/failure conditions for the conversion of a kernel audit record to
107 * BSM format.
108 */
109#define BSM_SUCCESS 0
110#define BSM_FAILURE 1
111#define BSM_NOAUDIT 2
112
113/*
114 * Defines for the kernel audit record k_ar_commit field. Flags are set to
115 * indicate what sort of record it is, and which preselection mechanism
116 * selected it.
117 */
118#define AR_COMMIT_KERNEL 0x00000001U
119#define AR_COMMIT_USER 0x00000010U
120
121#define AR_PRESELECT_TRAIL 0x00001000U
122#define AR_PRESELECT_PIPE 0x00002000U
123
124#define AR_PRESELECT_USER_TRAIL 0x00004000U
125#define AR_PRESELECT_USER_PIPE 0x00008000U
126
127#define AR_PRESELECT_FILTER 0x00010000U
128
129#define AR_DRAIN_QUEUE 0x80000000U
130
131/*
132 * Audit data is generated as a stream of struct audit_record structures,
133 * linked by struct kaudit_record, and contain storage for possible audit so
134 * that it will not need to be allocated during the processing of a system
135 * call, both improving efficiency and avoiding sleeping at untimely moments.
136 * This structure is converted to BSM format before being written to disk.
137 */
138struct vnode_au_info {
139 mode_t vn_mode;
140 uid_t vn_uid;
141 gid_t vn_gid;
142 dev_t vn_dev;
143 long vn_fsid;
144 long vn_fileid;
145 long vn_gen;
146};
147
148struct groupset {
149 gid_t gidset[NGROUPS];
150 u_int gidset_size;
151};
152
153struct socket_au_info {
154 int sai_domain;
155 int sai_type;
156 int sai_protocol;
157
158 /* Foreign (remote) address/port. */
159 struct sockaddr_storage sai_faddr;
160
161 /* Local address/port. */
162 struct sockaddr_storage sai_laddr;
163};
164
165/*
166 * The following is used for A_OLDSETQCTRL and A_OLDGETQCTRL and a 64-bit
167 * userland.
168 */
169struct au_qctrl64 {
170 u_int64_t aq64_hiwater;
171 u_int64_t aq64_lowater;
172 u_int64_t aq64_bufsz;
173 u_int64_t aq64_delay;
174 int64_t aq64_minfree;
175};
176typedef struct au_qctrl64 au_qctrl64_t;
177
178union auditon_udata {
179 char *au_path;
180 int au_cond;
181 int au_policy;
182 int64_t au_cond64;
183 int64_t au_policy64;
184 int au_trigger;
185 au_evclass_map_t au_evclass;
186 au_mask_t au_mask;
187 au_asflgs_t au_flags;
188 auditinfo_t au_auinfo;
189 auditpinfo_t au_aupinfo;
190 auditpinfo_addr_t au_aupinfo_addr;
191 au_qctrl_t au_qctrl;
192 au_qctrl64_t au_qctrl64;
193 au_stat_t au_stat;
194 au_fstat_t au_fstat;
195 auditinfo_addr_t au_kau_info;
196 au_ctlmode_t au_ctl_mode;
197 au_expire_after_t au_expire_after;
198};
199
200struct posix_ipc_perm {
201 uid_t pipc_uid;
202 gid_t pipc_gid;
203 mode_t pipc_mode;
204};
205
206struct au_identity_info {
207 u_int32_t signer_type;
208 char *signing_id;
209 u_char signing_id_trunc;
210 char *team_id;
211 u_char team_id_trunc;
212 u_int8_t *cdhash;
213 u_int16_t cdhash_len;
214};
215
216struct audit_record {
217 /* Audit record header. */
218 u_int32_t ar_magic;
219 int ar_event;
220 int ar_retval; /* value returned to the process */
221 int ar_errno; /* return status of system call */
222 struct timespec ar_starttime;
223 struct timespec ar_endtime;
224 u_int64_t ar_valid_arg; /* Bitmask of valid arguments */
225
226 /* Audit subject information. */
227 struct xucred ar_subj_cred;
228 uid_t ar_subj_ruid;
229 gid_t ar_subj_rgid;
230 gid_t ar_subj_egid;
231 uid_t ar_subj_auid; /* Audit user ID */
232 pid_t ar_subj_asid; /* Audit session ID */
233 pid_t ar_subj_pid;
234 struct au_tid ar_subj_term;
235 struct au_tid_addr ar_subj_term_addr;
236 struct au_mask ar_subj_amask;
237
238 /* Operation arguments. */
239 uid_t ar_arg_euid;
240 uid_t ar_arg_ruid;
241 uid_t ar_arg_suid;
242 gid_t ar_arg_egid;
243 gid_t ar_arg_rgid;
244 gid_t ar_arg_sgid;
245 pid_t ar_arg_pid;
246 pid_t ar_arg_asid;
247 struct au_tid ar_arg_termid;
248 struct au_tid_addr ar_arg_termid_addr;
249 uid_t ar_arg_uid;
250 uid_t ar_arg_auid;
251 gid_t ar_arg_gid;
252 struct groupset ar_arg_groups;
253 int ar_arg_fd;
254 int ar_arg_fflags;
255 mode_t ar_arg_mode;
256 uint32_t ar_arg_value32;
257 uint64_t ar_arg_value64;
258 user_addr_t ar_arg_addr;
259 user_size_t ar_arg_len;
260 int ar_arg_mask;
261 u_int ar_arg_signum;
262 char ar_arg_login[MAXLOGNAME];
263 int ar_arg_ctlname[CTL_MAXNAME];
264 struct socket_au_info ar_arg_sockinfo;
265 char *ar_arg_upath1;
266 char *ar_arg_upath2;
267 char *ar_arg_kpath1; /* darwin-only */
268 char *ar_arg_kpath2; /* darwin-only */
269#if CONFIG_MACF
270 char *ar_vnode1_mac_labels;
271 char *ar_vnode2_mac_labels;
272 char *ar_cred_mac_labels;
273 char *ar_arg_mac_string;
274#endif
275 char *ar_arg_text;
276 void *ar_arg_opaque; /* darwin-only */
277 void *ar_arg_data; /* darwin-only */
278 u_int16_t ar_arg_opq_size; /* darwin-only */
279 u_char ar_arg_data_type; /* darwin-only */
280 u_char ar_arg_data_count; /* darwin-only */
281 struct au_mask ar_arg_amask;
282 struct vnode_au_info ar_arg_vnode1;
283 struct vnode_au_info ar_arg_vnode2;
284 int ar_arg_cmd;
285 int ar_arg_svipc_cmd;
286 struct ipc_perm ar_arg_svipc_perm;
287 int ar_arg_svipc_id;
288 user_addr_t ar_arg_svipc_addr;
289 struct posix_ipc_perm ar_arg_pipc_perm;
290 mach_port_name_t ar_arg_mach_port1; /* darwin-only */
291 mach_port_name_t ar_arg_mach_port2; /* darwin-only */
292 union auditon_udata ar_arg_auditon;
293 char *ar_arg_argv;
294 int ar_arg_argc;
295 char *ar_arg_envv;
296 int ar_arg_envc;
297 int ar_arg_exitstatus;
298 int ar_arg_exitretval;
299 struct sockaddr_storage ar_arg_sockaddr;
300 int ar_arg_fd2;
301
302#if CONFIG_MACF
303 /*
304 * MAC security related fields added by MAC policies ar_forced_by_mac
305 * is 1 if mac_audit_check_preselect() forced this call to be audited,
306 * 0 otherwise.
307 */
308 LIST_HEAD(mac_audit_record_list_t, mac_audit_record) * ar_mac_records;
309 int ar_forced_by_mac;
310#endif
311 struct au_identity_info ar_arg_identity;
312};
313
314/*
315 * Arguments in the audit record are initially not defined; flags are set to
316 * indicate if they are present so they can be included in the audit log
317 * stream only if defined.
318 */
319#define ARG_IS_VALID(kar, arg) ((kar)->k_ar.ar_valid_arg & (arg))
320#define ARG_SET_VALID(kar, arg) do { \
321 (kar)->k_ar.ar_valid_arg |= (arg); \
322} while (0)
323
324/*
325 * Current thread macro. get_bsdthread_info() returns a void ptr for some
326 * reason.
327 */
328#define curthread() ((struct uthread *)get_bsdthread_info(current_thread()))
329
330/*
331 * In-kernel version of audit record; the basic record plus queue meta-data.
332 * This record can also have a pointer set to some opaque data that will be
333 * passed through to the audit writing mechanism.
334 */
335struct kaudit_record {
336 struct audit_record k_ar;
337 u_int32_t k_ar_commit;
338 void *k_udata; /* User data. */
339 u_int k_ulen; /* User data length. */
340 struct uthread *k_uthread; /* Audited thread. */
341 TAILQ_ENTRY(kaudit_record) k_q;
342};
343TAILQ_HEAD(kaudit_queue, kaudit_record);
344
345/*
346 * Functions to manage the allocation, release, and commit of kernel audit
347 * records.
348 */
349void audit_abort(struct kaudit_record *ar);
350void audit_commit(struct kaudit_record *ar, int error,
351 int retval);
352struct kaudit_record *audit_new(int event, proc_t p, struct uthread *td);
353
354/*
355 * Functions relating to the conversion of internal kernel audit records to
356 * the BSM file format.
357 */
358struct au_record;
359int kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau);
360int bsm_rec_verify(void *rec, int length, boolean_t kern_events_allowed);
361
362/*
363 * Kernel versions of the libbsm audit record functions.
364 */
365void kau_free(struct au_record *rec);
366void kau_init(void);
367
368/*
369 * Return values for pre-selection and post-selection decisions.
370 */
371#define AU_PRS_SUCCESS 1
372#define AU_PRS_FAILURE 2
373#define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE)
374
375/*
376 * Data structures relating to the kernel audit queue. Ideally, these might
377 * be abstracted so that only accessor methods are exposed.
378 */
379extern struct mtx audit_mtx;
380extern struct cv audit_watermark_cv;
381extern struct cv audit_worker_cv;
382extern struct cv audit_drain_cv;
383extern struct kaudit_queue audit_q;
384extern int audit_q_len;
385extern int audit_pre_q_len;
386extern int audit_in_failure;
387
388/*
389 * Flags to use on audit files when opening and closing.
390 */
391#define AUDIT_OPEN_FLAGS (FWRITE | O_APPEND)
392#define AUDIT_CLOSE_FLAGS (FWRITE | O_APPEND)
393
394#include <sys/fcntl.h>
395#include <sys/kernel.h>
396#include <sys/malloc.h>
397
398/*
399 * Some of the BSM tokenizer functions take different parameters in the
400 * kernel implementations in order to save the copying of large kernel data
401 * structures. The prototypes of these functions are declared here.
402 */
403token_t *kau_to_socket(struct socket_au_info *soi);
404
405/*
406 * audit_klib prototypes
407 */
408int au_preselect(au_event_t event, au_class_t class,
409 au_mask_t *mask_p, int sorf);
410void au_evclassmap_init(void);
411void au_evclassmap_insert(au_event_t event, au_class_t class);
412au_class_t au_event_class(au_event_t event);
413au_event_t audit_ctlname_to_sysctlevent(int name[], uint64_t valid_arg);
414au_event_t audit_flags_and_error_to_openevent(int oflags, int error);
415au_event_t audit_flags_and_error_to_openextendedevent(int oflags,
416 int error);
417au_event_t audit_flags_and_error_to_openatevent(int oflags,
418 int error);
419au_event_t audit_flags_and_error_to_openbyidevent(int oflags,
420 int error);
421au_event_t audit_msgctl_to_event(int cmd);
422au_event_t audit_semctl_to_event(int cmr);
423int audit_canon_path(struct vnode *cwd_vp, char *path,
424 char *cpath);
425au_event_t auditon_command_event(int cmd);
426au_event_t audit_fcntl_command_event(int cmd, int oflags, int error);
427
428/*
429 * Audit trigger events notify user space of kernel audit conditions
430 * asynchronously.
431 */
432int audit_send_trigger(unsigned int trigger);
433int audit_send_analytics(char* id, char* name);
434
435/*
436 * Accessor functions to manage global audit state.
437 */
438void audit_set_kinfo(struct auditinfo_addr *);
439void audit_get_kinfo(struct auditinfo_addr *);
440
441/*
442 * General audit related functions.
443 */
444struct kaudit_record *currecord(void);
445void audit_free(struct kaudit_record *ar);
446void audit_rotate_vnode(struct ucred *cred,
447 struct vnode *vp);
448void audit_worker_init(void);
449void audit_identity_info_construct(
450 struct au_identity_info *id_info);
451void audit_identity_info_destruct(
452 struct au_identity_info *id_info);
453
454/*
455 * Audit pipe functions.
456 */
457int audit_pipe_init(void);
458int audit_pipe_shutdown(void);
459int audit_pipe_preselect(au_id_t auid, au_event_t event,
460 au_class_t class, int sorf, int trail_select);
461void audit_pipe_submit(au_id_t auid, au_event_t event, au_class_t class,
462 int sorf, int trail_select, void *record, u_int record_len);
463void audit_pipe_submit_user(void *record, u_int record_len);
464
465/*
466 * Audit MAC prototypes.
467 */
468int audit_mac_new(proc_t p, struct kaudit_record *ar);
469void audit_mac_free(struct kaudit_record *ar);
470int audit_mac_syscall_enter(unsigned short code, proc_t p,
471 struct uthread *uthread, kauth_cred_t my_cred, au_event_t event);
472int audit_mac_syscall_exit(unsigned short code, struct uthread *uthread,
473 int error, int retval);
474
475/*
476 * Audit Session.
477 */
478void audit_session_init(void);
479int audit_session_setaia(proc_t p, auditinfo_addr_t *aia_p);
480auditinfo_addr_t *audit_session_update(auditinfo_addr_t *new_aia);
481int audit_session_lookup(au_asid_t asid, auditinfo_addr_t *ret_aia);
482
483/*
484 * Kernel assigned audit session IDs start at PID_MAX + 1 and ends at
485 * ASSIGNED_ASID_MAX.
486 */
487#define ASSIGNED_ASID_MIN (PID_MAX + 1)
488#define ASSIGNED_ASID_MAX (0xFFFFFFFF - 1)
489
490/*
491 * Entitlement required to control various audit subsystem settings
492 */
493#define AU_CLASS_RESERVED_ENTITLEMENT "com.apple.private.dz.audit"
494
495/*
496 * Entitlement required to control auditctl sys call
497 */
498#define AU_AUDITCTL_RESERVED_ENTITLEMENT "com.apple.private.protected-audit-control"
499
500/*
501 * Entitlement required to control auditctl sys call
502 */
503#define AU_AUDIT_USER_ENTITLEMENT "com.apple.private.audit.user"
504
505/*
506 * Max sizes used by the kernel for signing id and team id values of the
507 * identity tokens. These lengths include space for the null terminator.
508 */
509#define MAX_AU_IDENTITY_SIGNING_ID_LENGTH 129
510#define MAX_AU_IDENTITY_TEAM_ID_LENGTH 17
511
512struct __attribute__((__packed__)) hdr_tok_partial {
513 u_char type;
514 uint32_t len;
515 u_char ver;
516 uint16_t e_type;
517};
518static_assert(sizeof(struct hdr_tok_partial) == 8);
519
520struct __attribute__((__packed__)) trl_tok_partial {
521 u_char type;
522 uint16_t magic;
523 uint32_t len;
524};
525static_assert(sizeof(struct trl_tok_partial) == 7);
526
527#endif /* defined(KERNEL) || defined(_KERNEL) */
528
529#endif /* ! _SECURITY_AUDIT_PRIVATE_H_ */
mirror of XNU