bsd/bsm/audit_record.h

   1 /*
   2  * Copyright (c) 1999-2007 Apple Inc.  All Rights Reserved.
   3  *
   4  * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. The rights granted to you under the License
  10  * may not be used to create, or enable the creation or redistribution of,
  11  * unlawful or unlicensed copies of an Apple operating system, or to
  12  * circumvent, violate, or enable the circumvention or violation of, any
  13  * terms of an Apple operating system software license agreement.
  14  *
  15  * Please obtain a copy of the License at
  16  * http://www.opensource.apple.com/apsl/ and read it before using this file.
  17  *
  18  * The Original Code and all software distributed under the License are
  19  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  20  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  21  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  22  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  23  * Please see the License for the specific language governing rights and
  24  * limitations under the License.
  25  *
  26  * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
  27  */
  28
  29 #ifndef _BSM_AUDIT_RECORD_H_
  30 #define _BSM_AUDIT_RECORD_H_
  31
  32 #include <sys/cdefs.h>
  33 #include <sys/vnode.h>
  34 #include <sys/types.h>
  35 #include <sys/un.h>
  36 #include <sys/event.h>
  37 #include <netinet/in_systm.h>
  38 #include <netinet/in.h>
  39 #include <netinet/ip.h>
  40
  41 /* We could determined the header and trailer sizes by
  42  * defining appropriate structures. We hold off that approach
  43  * till we have a consistant way of using structures for all tokens.
  44  * This is not straightforward since these token structures may
  45  * contain pointers of whose contents we dont know the size
  46  * (e.g text tokens)
  47  */
  48 #define HEADER_SIZE     18
  49 #define TRAILER_SIZE    7
  50
  51 #define ADD_U_CHAR(loc, val) \
  52         do {\
  53                 *loc = val;\
  54                 loc += sizeof(u_char);\
  55         }while(0)
  56
  57
  58 #define ADD_U_INT16(loc, val) \
  59         do { \
  60                 memcpy(loc, (const u_char *)&val, sizeof(u_int16_t));\
  61                 loc += sizeof(u_int16_t); \
  62         }while(0)
  63
  64 #define ADD_U_INT32(loc, val) \
  65         do { \
  66                 memcpy(loc, (const u_char *)&val, sizeof(u_int32_t));\
  67                 loc += sizeof(u_int32_t); \
  68         }while(0)
  69
  70 #define ADD_U_INT64(loc, val)\
  71         do {\
  72                 memcpy(loc, (const u_char *)&val, sizeof(u_int64_t));\
  73                 loc += sizeof(u_int64_t); \
  74         }while(0)
  75
  76 #define ADD_MEM(loc, data, size) \
  77         do { \
  78                 memcpy(loc, data, size);\
  79                 loc += size;\
  80         }while(0)
  81
  82 #define ADD_STRING(loc, data, size) ADD_MEM(loc, data, size)
  83
  84
  85 /* Various token id types */
  86
  87 /*
  88  * Values inside the comments are not documented in the BSM pages and
  89  * have been picked up from the header files
  90  */
  91
  92 /*
  93  * Values marked as XXX do not have a value defined in the BSM header files
  94  */
  95
  96 /*
  97  * Control token types
  98
  99 #define AUT_OTHER_FILE              ((char)0x11)
 100 #define AUT_OTHER_FILE32            AUT_OTHER_FILE
 101 #define AUT_OHEADER                 ((char)0x12)
 102
 103  */
 104
 105 #define AUT_INVALID                 0x00
 106 #define AU_FILE_TOKEN               0x11
 107 #define AU_TRAILER_TOKEN            0x13
 108 #define AU_HEADER_32_TOKEN          0x14
 109 #define AU_HEADER_EX_32_TOKEN       0x15
 110
 111 /*
 112  * Data token types
 113 #define AUT_SERVER              ((char)0x25)
 114 #define AUT_SERVER32            AUT_SERVER
 115  */
 116
 117 #define AU_DATA_TOKEN               0x21
 118 #define AU_ARB_TOKEN                AU_DATA_TOKEN
 119 #define AU_IPC_TOKEN                0x22
 120 #define AU_PATH_TOKEN               0x23
 121 #define AU_SUBJECT_32_TOKEN         0x24
 122 #define AU_PROCESS_32_TOKEN         0x26
 123 #define AU_RETURN_32_TOKEN          0x27
 124 #define AU_TEXT_TOKEN               0x28
 125 #define AU_OPAQUE_TOKEN             0x29
 126 #define AU_IN_ADDR_TOKEN            0x2A
 127 #define AU_IP_TOKEN                 0x2B
 128 #define AU_IPORT_TOKEN              0x2C
 129 #define AU_ARG32_TOKEN              0x2D
 130 #define AU_SOCK_TOKEN               0x2E
 131 #define AU_SEQ_TOKEN                0x2F
 132
 133 /*
 134  * Modifier token types
 135
 136 #define AUT_ACL                 ((char)0x30)
 137 #define AUT_LABEL               ((char)0x33)
 138 #define AUT_GROUPS              ((char)0x34)
 139 #define AUT_ILABEL              ((char)0x35)
 140 #define AUT_SLABEL              ((char)0x36)
 141 #define AUT_CLEAR               ((char)0x37)
 142 #define AUT_PRIV                ((char)0x38)
 143 #define AUT_UPRIV               ((char)0x39)
 144 #define AUT_LIAISON             ((char)0x3A)
 145
 146  */
 147
 148 #define AU_ATTR_TOKEN               0x31
 149 #define AU_IPCPERM_TOKEN            0x32
 150 #define AU_NEWGROUPS_TOKEN          0x3B
 151 #define AU_EXEC_ARG_TOKEN           0x3C
 152 #define AU_EXEC_ENV_TOKEN           0x3D
 153 #define AU_ATTR32_TOKEN             0x3E
 154
 155 /*
 156  * Command token types
 157  */
 158
 159 #define AU_CMD_TOKEN                0x51
 160 #define AU_EXIT_TOKEN               0x52
 161
 162 /*
 163  * Miscellaneous token types
 164
 165 #define AUT_HOST                ((char)0x70)
 166
 167  */
 168
 169 /*
 170  * 64bit token types
 171
 172 #define AUT_SERVER64            ((char)0x76)
 173 #define AUT_OTHER_FILE64                ((char)0x78)
 174
 175  */
 176
 177 #define AU_ARG64_TOKEN              0x71
 178 #define AU_RETURN_64_TOKEN          0x72
 179 #define AU_ATTR64_TOKEN             0x73
 180 #define AU_HEADER_64_TOKEN          0x74
 181 #define AU_SUBJECT_64_TOKEN         0x75
 182 #define AU_PROCESS_64_TOKEN         0x77
 183
 184 /*
 185  * Extended network address token types
 186  */
 187
 188 #define AU_HEADER_EX_64_TOKEN       0x79
 189 #define AU_SUBJECT_32_EX_TOKEN      0x7a
 190 #define AU_PROCESS_32_EX_TOKEN      0x7b
 191 #define AU_SUBJECT_64_EX_TOKEN      0x7c
 192 #define AU_PROCESS_64_EX_TOKEN      0x7d
 193 #define AU_IN_ADDR_EX_TOKEN         0x7e
 194 #define AU_SOCK_EX32_TOKEN          0x7f
 195 #define AU_SOCK_EX128_TOKEN         AUT_INVALID         /*XXX*/
 196 #define AU_IP_EX_TOKEN              AUT_INVALID         /*XXX*/
 197
 198 /*
 199  * The values for the following token ids are not
 200  * defined by BSM
 201  */
 202 #define AU_SOCK_INET_32_TOKEN       0x80         /*XXX*/
 203 #define AU_SOCK_INET_128_TOKEN      0x81         /*XXX*/
 204 #define AU_SOCK_UNIX_TOKEN          0x82         /*XXX*/
 205
 206 /* print values for the arbitrary token */
 207 #define AUP_BINARY      0
 208 #define AUP_OCTAL       1
 209 #define AUP_DECIMAL     2
 210 #define AUP_HEX         3
 211 #define AUP_STRING      4
 212
 213 /* data-types for the arbitrary token */
 214 #define AUR_BYTE        0
 215 #define AUR_SHORT       1
 216 #define AUR_LONG        2
 217
 218 /* ... and their sizes */
 219 #define AUR_BYTE_SIZE       sizeof(u_char)
 220 #define AUR_SHORT_SIZE      sizeof(u_int16_t)
 221 #define AUR_LONG_SIZE       sizeof(u_int32_t)
 222
 223 /* Modifiers for the header token */
 224 #define PAD_NOTATTR  0x4000   /* nonattributable event */
 225 #define PAD_FAILURE  0x8000   /* fail audit event */
 226
 227
 228 #define MAX_GROUPS          16
 229 #define HEADER_VERSION      1
 230 #define TRAILER_PAD_MAGIC   0xB105
 231
 232 /* BSM library calls */
 233
 234 __BEGIN_DECLS
 235
 236 int                     au_open(void);
 237 int                     au_write(int d, token_t *m);
 238 int                     au_close(int d, int keep, short event);
 239 token_t                 *au_to_file(char *file);
 240 token_t                 *au_to_header(int rec_size, au_event_t e_type,
 241                                         au_emod_t e_mod);
 242 token_t                 *au_to_header32(int rec_size, au_event_t e_type,
 243                                         au_emod_t e_mod);
 244 token_t                 *au_to_header64(int rec_size, au_event_t e_type,
 245                                         au_emod_t e_mod);
 246 token_t                 *au_to_me(void);
 247
 248 token_t                 *au_to_arg(char n, char *text, u_int32_t v);
 249 token_t                 *au_to_arg32(char n, const char *text, u_int32_t v);
 250 token_t                 *au_to_arg64(char n, const char *text, u_int64_t v);
 251 token_t                 *au_to_attr(struct vnode_attr *attr);
 252 token_t                 *au_to_attr32(struct vnode_attr *attr);
 253 token_t                 *au_to_attr64(struct vnode_attr *attr);
 254 token_t                 *au_to_data(char unit_print, char unit_type,
 255                                 char unit_count, unsigned char *p);
 256 token_t                 *au_to_exit(int retval, int err);
 257 token_t                 *au_to_groups(gid_t *groups);
 258 token_t                 *au_to_newgroups(u_int16_t n, gid_t *groups);
 259 token_t                 *au_to_in_addr(struct in_addr *internet_addr);
 260 token_t                 *au_to_in_addr_ex(struct in6_addr *internet_addr);
 261 token_t                 *au_to_ip(struct ip *ip);
 262 token_t                 *au_to_ipc(char type, int id);
 263 token_t                 *au_to_ipc_perm(struct ipc_perm *perm);
 264 token_t                 *au_to_iport(u_int16_t iport);
 265 token_t                 *au_to_opaque(char *data, u_int16_t bytes);
 266 token_t                 *au_to_path(char *path);
 267 token_t                 *au_to_process(au_id_t auid, uid_t euid, gid_t egid,
 268                                 uid_t ruid, gid_t rgid, pid_t pid,
 269                                 au_asid_t sid, au_tid_t *tid);
 270 token_t                 *au_to_process32(au_id_t auid, uid_t euid, gid_t egid,
 271                                 uid_t ruid, gid_t rgid, pid_t pid,
 272                                 au_asid_t sid, au_tid_t *tid);
 273 token_t                 *au_to_process64(au_id_t auid, uid_t euid, gid_t egid,
 274                                 uid_t ruid, gid_t rgid, pid_t pid,
 275                                 au_asid_t sid, au_tid_t *tid);
 276 token_t                 *au_to_process_ex(au_id_t auid, uid_t euid,
 277                                 gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
 278                                 au_asid_t sid, au_tid_addr_t *tid);
 279 token_t                 *au_to_process32_ex(au_id_t auid, uid_t euid,
 280                                 gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
 281                                 au_asid_t sid, au_tid_addr_t *tid);
 282 token_t                 *au_to_process64_ex(au_id_t auid, uid_t euid,
 283                                 gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
 284                                 au_asid_t sid, au_tid_addr_t *tid);
 285 token_t                 *au_to_return(char status, u_int32_t ret);
 286 token_t                 *au_to_return32(char status, u_int32_t ret);
 287 token_t                 *au_to_return64(char status, u_int64_t ret);
 288 token_t                 *au_to_seq(u_int32_t audit_count);
 289 token_t                 *au_to_socket(struct socket *so);
 290 token_t                 *au_to_socket_ex_32(u_int16_t lp, u_int16_t rp,
 291                                 struct sockaddr *la, struct sockaddr *ta);
 292 token_t                 *au_to_socket_ex_128(u_int16_t lp, u_int16_t rp,
 293                                 struct sockaddr *la, struct sockaddr *ta);
 294 token_t                 *au_to_sock_inet(struct sockaddr_in *so);
 295 token_t                 *au_to_sock_inet32(struct sockaddr_in *so);
 296 token_t                 *au_to_sock_inet128(struct sockaddr_in6 *so);
 297 token_t                 *au_to_sock_unix(struct sockaddr_un *so);
 298 token_t                 *au_to_subject(au_id_t auid, uid_t euid, gid_t egid,
 299                                 uid_t ruid, gid_t rgid, pid_t pid,
 300                                 au_asid_t sid, au_tid_t *tid);
 301 token_t                 *au_to_subject32(au_id_t auid, uid_t euid, gid_t egid,
 302                                 uid_t ruid, gid_t rgid, pid_t pid,
 303                                 au_asid_t sid, au_tid_t *tid);
 304 token_t                 *au_to_subject64(au_id_t auid, uid_t euid, gid_t egid,
 305                                 uid_t ruid, gid_t rgid, pid_t pid,
 306                                 au_asid_t sid, au_tid_t *tid);
 307 token_t                 *au_to_subject_ex(au_id_t auid, uid_t euid,
 308                                 gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
 309                                 au_asid_t sid, au_tid_addr_t *tid);
 310 token_t                 *au_to_subject32_ex(au_id_t auid, uid_t euid,
 311                                 gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
 312                                 au_asid_t sid, au_tid_addr_t *tid);
 313 token_t                 *au_to_subject64_ex(au_id_t auid, uid_t euid,
 314                                 gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
 315                                 au_asid_t sid, au_tid_addr_t *tid);
 316 token_t                 *au_to_exec_args(const char **);
 317 token_t                 *au_to_exec_env(const char **);
 318 token_t                 *au_to_text(const char *text);
 319 token_t                 *au_to_kevent(struct kevent *kev);
 320 token_t                 *au_to_trailer(int rec_size);
 321
 322 __END_DECLS
 323
 324 #endif /* ! _BSM_AUDIT_RECORD_H_ */