]> git.saurik.com Git - apple/xnu.git/blob - bsd/bsm/audit_kernel.h
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-1228.tar.gz
[apple/xnu.git] / bsd / bsm / audit_kernel.h
1 /*
2 * Copyright (c) 1999-2007 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28 /*
29 * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce
30 * support for mandatory and extensible security protections. This notice
31 * is included in support of clause 2.2 (b) of the Apple Public License,
32 * Version 2.0.
33 */
34
35 #ifndef _BSM_AUDIT_KERNEL_H
36 #define _BSM_AUDIT_KERNEL_H
37
38 #if CONFIG_MACF
39 #include <sys/queue.h>
40 #include <security/mac_framework.h>
41 #endif
42
43 #ifdef KERNEL
44
45 #include <bsm/audit.h>
46
47 #include <sys/sysctl.h>
48 #include <sys/user.h>
49 #include <sys/ipc.h>
50
51 /*
52 * Audit subsystem condition flags. The audit_enabled flag is set and
53 * removed automatically as a result of configuring log files, and
54 * can be observed but should not be directly manipulated. The audit
55 * suspension flag permits audit to be temporarily disabled without
56 * reconfiguring the audit target.
57 */
58 extern int audit_enabled;
59 extern int audit_suspended;
60
61 #define BSM_SUCCESS 0
62 #define BSM_FAILURE 1
63 #define BSM_NOAUDIT 2
64
65 /*
66 * Define the masks for the audited arguments.
67 */
68 #define ARG_EUID 0x0000000000000001ULL
69 #define ARG_RUID 0x0000000000000002ULL
70 #define ARG_SUID 0x0000000000000004ULL
71 #define ARG_EGID 0x0000000000000008ULL
72 #define ARG_RGID 0x0000000000000010ULL
73 #define ARG_SGID 0x0000000000000020ULL
74 #define ARG_PID 0x0000000000000040ULL
75 #define ARG_UID 0x0000000000000080ULL
76 #define ARG_AUID 0x0000000000000100ULL
77 #define ARG_GID 0x0000000000000200ULL
78 #define ARG_FD 0x0000000000000400ULL
79 #define ARG_POSIX_IPC_PERM 0x0000000000000800ULL
80 #define ARG_FFLAGS 0x0000000000001000ULL
81 #define ARG_MODE 0x0000000000002000ULL
82 #define ARG_DEV 0x0000000000004000ULL
83 #define ARG_ADDR 0x0000000000008000ULL
84 #define ARG_LEN 0x0000000000010000ULL
85 #define ARG_MASK 0x0000000000020000ULL
86 #define ARG_SIGNUM 0x0000000000040000ULL
87 #define ARG_LOGIN 0x0000000000080000ULL
88 #define ARG_SADDRINET 0x0000000000100000ULL
89 #define ARG_SADDRINET6 0x0000000000200000ULL
90 #define ARG_SADDRUNIX 0x0000000000400000ULL
91 #define ARG_KPATH1 0x0000000000800000ULL
92 #define ARG_KPATH2 0x0000000001000000ULL
93 #define ARG_UPATH1 0x0000000002000000ULL
94 #define ARG_UPATH2 0x0000000004000000ULL
95 #define ARG_TEXT 0x0000000008000000ULL
96 #define ARG_VNODE1 0x0000000010000000ULL
97 #define ARG_VNODE2 0x0000000020000000ULL
98 #define ARG_SVIPC_CMD 0x0000000040000000ULL
99 #define ARG_SVIPC_PERM 0x0000000080000000ULL
100 #define ARG_SVIPC_ID 0x0000000100000000ULL
101 #define ARG_SVIPC_ADDR 0x0000000200000000ULL
102 #define ARG_GROUPSET 0x0000000400000000ULL
103 #define ARG_CMD 0x0000000800000000ULL
104 #define ARG_SOCKINFO 0x0000001000000000ULL
105 #define ARG_ASID 0x0000002000000000ULL
106 #define ARG_TERMID 0x0000004000000000ULL
107 #define ARG_AUDITON 0x0000008000000000ULL
108 #define ARG_VALUE 0x0000010000000000ULL
109 #define ARG_AMASK 0x0000020000000000ULL
110 #define ARG_CTLNAME 0x0000040000000000ULL
111 #define ARG_PROCESS 0x0000080000000000ULL
112 #define ARG_MACHPORT1 0x0000100000000000ULL
113 #define ARG_MACHPORT2 0x0000200000000000ULL
114 #define ARG_MAC_STRING 0x0000400000000000ULL
115 #define ARG_NONE 0x0000000000000000ULL
116 #define ARG_ALL 0xFFFFFFFFFFFFFFFFULL
117
118 /* Defines for the kernel audit record k_ar_commit field */
119 #define AR_COMMIT_KERNEL 0x00000001U
120 #define AR_COMMIT_USER 0x00000010U
121
122 struct vnode_au_info {
123 mode_t vn_mode;
124 uid_t vn_uid;
125 gid_t vn_gid;
126 dev_t vn_dev;
127 long vn_fsid;
128 long vn_fileid;
129 long vn_gen;
130 };
131
132 struct groupset {
133 gid_t gidset[NGROUPS];
134 u_int gidset_size;
135 };
136
137 struct socket_au_info {
138 int so_domain;
139 int so_type;
140 int so_protocol;
141 in_addr_t so_raddr; /* remote address if INET socket */
142 in_addr_t so_laddr; /* local address if INET socket */
143 u_short so_rport; /* remote port */
144 u_short so_lport; /* local port */
145 };
146
147 union auditon_udata {
148 char au_path[MAXPATHLEN];
149 long au_cond;
150 long au_flags;
151 long au_policy;
152 au_evclass_map_t au_evclass;
153 au_mask_t au_mask;
154 auditinfo_t au_auinfo;
155 auditpinfo_t au_aupinfo;
156 auditpinfo_addr_t au_aupinfo_addr;
157 au_qctrl_t au_qctrl;
158 au_stat_t au_stat;
159 au_fstat_t au_fstat;
160 };
161
162 struct posix_ipc_perm {
163 uid_t pipc_uid;
164 gid_t pipc_gid;
165 mode_t pipc_mode;
166 };
167
168 #if CONFIG_MACF
169
170 #define MAC_AUDIT_LABEL_LEN 1024
171 #define MAC_AUDIT_DATA_TYPE 0
172 #define MAC_AUDIT_TEXT_TYPE 1
173
174 struct mac_audit_record {
175 int type; // one of the types defined above
176 int length; // byte length of the data field
177 u_char *data; // the payload
178 LIST_ENTRY(mac_audit_record) records;
179 };
180
181 #endif
182
183 struct audit_record {
184 /* Audit record header. */
185 u_int32_t ar_magic;
186 int ar_event;
187 int ar_retval; /* value returned to the process */
188 int ar_errno; /* return status of system call */
189 struct timespec ar_starttime;
190 struct timespec ar_endtime;
191 u_int64_t ar_valid_arg; /* Bitmask of valid arguments */
192
193 /* Audit subject information. */
194 struct xucred ar_subj_cred;
195 uid_t ar_subj_ruid;
196 gid_t ar_subj_rgid;
197 gid_t ar_subj_egid;
198 uid_t ar_subj_auid; /* Audit user ID */
199 pid_t ar_subj_asid; /* Audit session ID */
200 pid_t ar_subj_pid;
201 struct au_tid ar_subj_term;
202 char ar_subj_comm[MAXCOMLEN + 1];
203 struct au_mask ar_subj_amask;
204
205 /* Operation arguments. */
206 uid_t ar_arg_euid;
207 uid_t ar_arg_ruid;
208 uid_t ar_arg_suid;
209 gid_t ar_arg_egid;
210 gid_t ar_arg_rgid;
211 gid_t ar_arg_sgid;
212 pid_t ar_arg_pid;
213 pid_t ar_arg_asid;
214 struct au_tid ar_arg_termid;
215 uid_t ar_arg_uid;
216 uid_t ar_arg_auid;
217 gid_t ar_arg_gid;
218 struct groupset ar_arg_groups;
219 int ar_arg_fd;
220 int ar_arg_fflags;
221 mode_t ar_arg_mode;
222 int ar_arg_dev;
223 long ar_arg_value;
224 void * ar_arg_addr;
225 int ar_arg_len;
226 int ar_arg_mask;
227 u_int ar_arg_signum;
228 char ar_arg_login[MAXLOGNAME];
229 int ar_arg_ctlname[CTL_MAXNAME];
230 struct sockaddr ar_arg_sockaddr;
231 struct socket_au_info ar_arg_sockinfo;
232 char *ar_arg_upath1;
233 char *ar_arg_upath2;
234 char *ar_arg_kpath1;
235 char *ar_arg_kpath2;
236 #if CONFIG_MACF
237 char *ar_vnode1_mac_labels;
238 char *ar_vnode2_mac_labels;
239 char *ar_cred_mac_labels;
240 char *ar_arg_mac_string;
241 #endif
242 char *ar_arg_text;
243 struct au_mask ar_arg_amask;
244 struct vnode_au_info ar_arg_vnode1;
245 struct vnode_au_info ar_arg_vnode2;
246 int ar_arg_cmd;
247 int ar_arg_svipc_cmd;
248 struct ipc_perm ar_arg_svipc_perm;
249 int ar_arg_svipc_id;
250 user_addr_t ar_arg_svipc_addr;
251 struct posix_ipc_perm ar_arg_pipc_perm;
252 mach_port_name_t ar_arg_mach_port1;
253 mach_port_name_t ar_arg_mach_port2;
254 union auditon_udata ar_arg_auditon;
255
256 #if CONFIG_MACF
257 /* MAC security related fields added by MAC policies
258 * ar_forced_by_mac is 1 if mac_audit_check_preselect() forced this
259 * call to be audited, 0 otherwise.
260 */
261 LIST_HEAD(mac_audit_record_list_t, mac_audit_record) *ar_mac_records;
262 int ar_forced_by_mac;
263 #endif
264
265 };
266
267 /*
268 * In-kernel version of audit record; the basic record plus queue meta-data.
269 * This record can also have a pointer set to some opaque data that will
270 * be passed through to the audit writing mechanism.
271 */
272 struct kaudit_record {
273 struct audit_record k_ar;
274 u_int32_t k_ar_commit;
275 void *k_udata; /* user data */
276 u_int k_ulen; /* user data length */
277 struct uthread *k_uthread; /* thread we are auditing */
278 TAILQ_ENTRY(kaudit_record) k_q;
279 };
280
281 struct proc;
282 struct vnode;
283 struct componentname;
284
285 int kau_will_audit(void);
286
287 void audit_abort(struct kaudit_record *ar);
288 void audit_commit(struct kaudit_record *ar, int error,
289 int retval);
290 void audit_init(void);
291 void audit_shutdown(void);
292
293 struct kaudit_record *audit_new(int event, struct proc *p,
294 struct uthread *uthread);
295
296 void audit_syscall_enter(unsigned short code,
297 struct proc *proc, struct uthread *uthread);
298 #if CONFIG_MACF
299 /*
300 * The parameter list of audit_syscall_exit() was modified to also take the
301 * Darwin syscall number, which is required by mac_audit_check_postselect().
302 */
303 void audit_syscall_exit(unsigned short code, int error,
304 struct proc *proc, struct uthread *uthread);
305 #else
306 void audit_syscall_exit(int error, struct proc *proc,
307 struct uthread *uthread);
308 #endif
309 void audit_mach_syscall_enter(unsigned short audit_event);
310 void audit_mach_syscall_exit(int retval,
311 struct uthread *uthread);
312
313 int kaudit_to_bsm(struct kaudit_record *kar,
314 struct au_record **pau);
315
316 int bsm_rec_verify(void *rec);
317
318 /*
319 * Kernel versions of the BSM audit record functions.
320 */
321 struct au_record *kau_open(void);
322 int kau_write(struct au_record *rec, token_t *m);
323 int kau_close(struct au_record *rec,
324 struct timespec *endtime, short event);
325 void kau_free(struct au_record *rec);
326 void kau_init(void);
327 token_t *kau_to_file(const char *file, const struct timeval *tv);
328 token_t *kau_to_header(const struct timespec *ctime, int rec_size,
329 au_event_t e_type, au_emod_t e_mod);
330 token_t *kau_to_header32(const struct timespec *ctime, int rec_size,
331 au_event_t e_type, au_emod_t e_mod);
332 token_t *kau_to_header64(const struct timespec *ctime, int rec_size,
333 au_event_t e_type, au_emod_t e_mod);
334 /*
335 * The remaining kernel functions are conditionally compiled in as they
336 * are wrapped by a macro, and the macro should be the only place in
337 * the source tree where these functions are referenced.
338 */
339 #if AUDIT
340 void audit_arg_addr(user_addr_t addr);
341 void audit_arg_len(user_size_t len);
342 void audit_arg_fd(int fd);
343 void audit_arg_fflags(int fflags);
344 void audit_arg_gid(gid_t gid, gid_t egid, gid_t rgid,
345 gid_t sgid);
346 void audit_arg_uid(uid_t uid, uid_t euid, uid_t ruid,
347 uid_t suid);
348 void audit_arg_groupset(const gid_t *gidset, u_int gidset_size);
349 void audit_arg_login(const char *login);
350 void audit_arg_ctlname(const int *name, int namelen);
351 void audit_arg_mask(int mask);
352 void audit_arg_mode(mode_t mode);
353 void audit_arg_dev(int dev);
354 void audit_arg_value(long value);
355 void audit_arg_owner(uid_t uid, gid_t gid);
356 void audit_arg_pid(pid_t pid);
357 void audit_arg_process(struct proc *p);
358 void audit_arg_signum(u_int signum);
359 void audit_arg_socket(int sodomain, int sotype,
360 int soprotocol);
361 void audit_arg_sockaddr(struct vnode *cwd_vp,
362 struct sockaddr *so);
363 void audit_arg_auid(uid_t auid);
364 void audit_arg_auditinfo(const struct auditinfo *au_info);
365 void audit_arg_upath(struct vnode *cwd_vp, char *upath,
366 u_int64_t flags);
367 void audit_arg_vnpath(struct vnode *vp, u_int64_t flags);
368 void audit_arg_vnpath_withref(struct vnode *vp, u_int64_t flags);
369 void audit_arg_text(const char *text);
370 void audit_arg_cmd(int cmd);
371 void audit_arg_svipc_cmd(int cmd);
372 void audit_arg_svipc_perm(const struct ipc_perm *perm);
373 void audit_arg_svipc_id(int id);
374 void audit_arg_svipc_addr(user_addr_t addr);
375 void audit_arg_posix_ipc_perm(uid_t uid, gid_t gid,
376 mode_t mode);
377 void audit_arg_auditon(const union auditon_udata *udata);
378 void audit_arg_file(struct proc *p, const struct fileproc *fp);
379 void audit_arg_mach_port1(mach_port_name_t port);
380 void audit_arg_mach_port2(mach_port_name_t port);
381
382 void audit_sysclose(struct proc *p, int fd);
383
384 void audit_proc_init(struct proc *p);
385 void audit_proc_fork(struct proc *parent,
386 struct proc *child);
387 void audit_proc_free(struct proc *p);
388
389 #if CONFIG_MACF
390 /*
391 * audit_mac_data() is the MAC Framework's entry point to the audit subsystem.
392 * It currently creates only text and data audit tokens.
393 */
394 int audit_mac_data(int type, int len, u_char *data);
395 void audit_arg_mac_string(const char *string);
396
397 #endif
398
399 /*
400 * Define a macro to wrap the audit_arg_* calls by checking the global
401 * audit_enabled flag before performing the actual call.
402 */
403 #define AUDIT_ARG(op, args...) do { \
404 if (audit_enabled) \
405 audit_arg_ ## op (args); \
406 } while (0)
407
408 #define AUDIT_SYSCALL_ENTER(args...) do { \
409 if (audit_enabled) { \
410 audit_syscall_enter(args); \
411 } \
412 } while (0)
413
414 /*
415 * Wrap the audit_syscall_exit() function so that it is called only when
416 * auditing is enabled, or we have a audit record on the thread. It is
417 * possible that an audit record was begun before auditing was turned off.
418 */
419 #define AUDIT_SYSCALL_EXIT(code, proc, uthread, error) do { \
420 if (audit_enabled || (uthread->uu_ar != NULL)) { \
421 audit_syscall_exit(code, error, proc, uthread); \
422 } \
423 } while (0)
424
425 /*
426 * Wrap the audit_mach_syscall_enter() and audit_mach_syscall_exit()
427 * functions in a manner similar to other system call enter/exit functions.
428 */
429 #define AUDIT_MACH_SYSCALL_ENTER(args...) do { \
430 if (audit_enabled) { \
431 audit_mach_syscall_enter(args); \
432 } \
433 } while (0)
434
435 #define AUDIT_MACH_SYSCALL_EXIT(retval) do { \
436 struct uthread *__uthread = get_bsdthread_info(current_thread()); \
437 if (audit_enabled || (__uthread->uu_ar != NULL)) { \
438 audit_mach_syscall_exit(retval, __uthread); \
439 } \
440 } while (0)
441
442 /*
443 * A Macro to wrap the audit_sysclose() function.
444 */
445 #define AUDIT_SYSCLOSE(args...) do { \
446 if (audit_enabled) \
447 audit_sysclose(args); \
448 } while (0)
449
450 #else /* !AUDIT */
451
452 #define AUDIT_ARG(op, args...) do { \
453 } while (0)
454
455 #define AUDIT_SYSCALL_ENTER(args...) do { \
456 } while (0)
457
458 #define AUDIT_SYSCALL_EXIT(code, proc, uthread, error) do { \
459 } while (0)
460
461 #define AUDIT_MACH_SYSCALL_ENTER(args...) do { \
462 } while (0)
463
464 #define AUDIT_MACH_SYSCALL_EXIT(retval) do { \
465 } while (0)
466
467 #define AUDIT_SYSCLOSE(op, args...) do { \
468 } while (0)
469
470 #endif /* AUDIT */
471
472 #endif /* KERNEL */
473
474 #endif /* !_BSM_AUDIT_KERNEL_H */
mirror of XNU