]>
git.saurik.com Git - apple/xnu.git/blob - bsd/bsm/audit_record.h
2 * Copyright (c) 2006 Apple Computer, Inc. All Rights Reserved.
4 * @APPLE_LICENSE_OSREFERENCE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the
10 * License may not be used to create, or enable the creation or
11 * redistribution of, unlawful or unlicensed copies of an Apple operating
12 * system, or to circumvent, violate, or enable the circumvention or
13 * violation of, any terms of an Apple operating system software license
16 * Please obtain a copy of the License at
17 * http://www.opensource.apple.com/apsl/ and read it before using this
20 * The Original Code and all software distributed under the License are
21 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
22 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
23 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
24 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
25 * Please see the License for the specific language governing rights and
26 * limitations under the License.
28 * @APPLE_LICENSE_OSREFERENCE_HEADER_END@
31 #ifndef _BSM_AUDIT_RECORD_H_
32 #define _BSM_AUDIT_RECORD_H_
34 #include <sys/cdefs.h>
35 #include <sys/vnode.h>
36 #include <sys/types.h>
38 #include <sys/event.h>
39 #include <netinet/in_systm.h>
40 #include <netinet/in.h>
41 #include <netinet/ip.h>
43 /* We could determined the header and trailer sizes by
44 * defining appropriate structures. We hold off that approach
45 * till we have a consistant way of using structures for all tokens.
46 * This is not straightforward since these token structures may
47 * contain pointers of whose contents we dont know the size
50 #define HEADER_SIZE 18
51 #define TRAILER_SIZE 7
53 #define ADD_U_CHAR(loc, val) \
56 loc += sizeof(u_char);\
60 #define ADD_U_INT16(loc, val) \
62 memcpy(loc, (const u_char *)&val, sizeof(u_int16_t));\
63 loc += sizeof(u_int16_t); \
66 #define ADD_U_INT32(loc, val) \
68 memcpy(loc, (const u_char *)&val, sizeof(u_int32_t));\
69 loc += sizeof(u_int32_t); \
72 #define ADD_U_INT64(loc, val)\
74 memcpy(loc, (const u_char *)&val, sizeof(u_int64_t));\
75 loc += sizeof(u_int64_t); \
78 #define ADD_MEM(loc, data, size) \
80 memcpy(loc, data, size);\
84 #define ADD_STRING(loc, data, size) ADD_MEM(loc, data, size)
87 /* Various token id types */
90 * Values inside the comments are not documented in the BSM pages and
91 * have been picked up from the header files
95 * Values marked as XXX do not have a value defined in the BSM header files
101 #define AUT_OTHER_FILE ((char)0x11)
102 #define AUT_OTHER_FILE32 AUT_OTHER_FILE
103 #define AUT_OHEADER ((char)0x12)
107 #define AUT_INVALID 0x00
108 #define AU_FILE_TOKEN 0x11
109 #define AU_TRAILER_TOKEN 0x13
110 #define AU_HEADER_32_TOKEN 0x14
111 #define AU_HEADER_EX_32_TOKEN 0x15
115 #define AUT_SERVER ((char)0x25)
116 #define AUT_SERVER32 AUT_SERVER
119 #define AU_DATA_TOKEN 0x21
120 #define AU_ARB_TOKEN AU_DATA_TOKEN
121 #define AU_IPC_TOKEN 0x22
122 #define AU_PATH_TOKEN 0x23
123 #define AU_SUBJECT_32_TOKEN 0x24
124 #define AU_PROCESS_32_TOKEN 0x26
125 #define AU_RETURN_32_TOKEN 0x27
126 #define AU_TEXT_TOKEN 0x28
127 #define AU_OPAQUE_TOKEN 0x29
128 #define AU_IN_ADDR_TOKEN 0x2A
129 #define AU_IP_TOKEN 0x2B
130 #define AU_IPORT_TOKEN 0x2C
131 #define AU_ARG32_TOKEN 0x2D
132 #define AU_SOCK_TOKEN 0x2E
133 #define AU_SEQ_TOKEN 0x2F
136 * Modifier token types
138 #define AUT_ACL ((char)0x30)
139 #define AUT_LABEL ((char)0x33)
140 #define AUT_GROUPS ((char)0x34)
141 #define AUT_ILABEL ((char)0x35)
142 #define AUT_SLABEL ((char)0x36)
143 #define AUT_CLEAR ((char)0x37)
144 #define AUT_PRIV ((char)0x38)
145 #define AUT_UPRIV ((char)0x39)
146 #define AUT_LIAISON ((char)0x3A)
150 #define AU_ATTR_TOKEN 0x31
151 #define AU_IPCPERM_TOKEN 0x32
152 #define AU_NEWGROUPS_TOKEN 0x3B
153 #define AU_EXEC_ARG_TOKEN 0x3C
154 #define AU_EXEC_ENV_TOKEN 0x3D
155 #define AU_ATTR32_TOKEN 0x3E
158 * Command token types
161 #define AU_CMD_TOKEN 0x51
162 #define AU_EXIT_TOKEN 0x52
165 * Miscellaneous token types
167 #define AUT_HOST ((char)0x70)
174 #define AUT_SERVER64 ((char)0x76)
175 #define AUT_OTHER_FILE64 ((char)0x78)
179 #define AU_ARG64_TOKEN 0x71
180 #define AU_RETURN_64_TOKEN 0x72
181 #define AU_ATTR64_TOKEN 0x73
182 #define AU_HEADER_64_TOKEN 0x74
183 #define AU_SUBJECT_64_TOKEN 0x75
184 #define AU_PROCESS_64_TOKEN 0x77
187 * Extended network address token types
190 #define AU_HEADER_EX_64_TOKEN 0x79
191 #define AU_SUBJECT_32_EX_TOKEN 0x7a
192 #define AU_PROCESS_32_EX_TOKEN 0x7b
193 #define AU_SUBJECT_64_EX_TOKEN 0x7c
194 #define AU_PROCESS_64_EX_TOKEN 0x7d
195 #define AU_IN_ADDR_EX_TOKEN 0x7e
196 #define AU_SOCK_EX32_TOKEN 0x7f
197 #define AU_SOCK_EX128_TOKEN AUT_INVALID /*XXX*/
198 #define AU_IP_EX_TOKEN AUT_INVALID /*XXX*/
201 * The values for the following token ids are not
204 #define AU_SOCK_INET_32_TOKEN 0x80 /*XXX*/
205 #define AU_SOCK_INET_128_TOKEN 0x81 /*XXX*/
206 #define AU_SOCK_UNIX_TOKEN 0x82 /*XXX*/
208 /* print values for the arbitrary token */
211 #define AUP_DECIMAL 2
215 /* data-types for the arbitrary token */
220 /* ... and their sizes */
221 #define AUR_BYTE_SIZE sizeof(u_char)
222 #define AUR_SHORT_SIZE sizeof(u_int16_t)
223 #define AUR_LONG_SIZE sizeof(u_int32_t)
225 /* Modifiers for the header token */
226 #define PAD_NOTATTR 0x4000 /* nonattributable event */
227 #define PAD_FAILURE 0x8000 /* fail audit event */
230 #define MAX_GROUPS 16
231 #define HEADER_VERSION 1
232 #define TRAILER_PAD_MAGIC 0xB105
234 /* BSM library calls */
239 int au_write(int d
, token_t
*m
);
240 int au_close(int d
, int keep
, short event
);
241 token_t
*au_to_file(char *file
);
242 token_t
*au_to_header(int rec_size
, au_event_t e_type
,
244 token_t
*au_to_header32(int rec_size
, au_event_t e_type
,
246 token_t
*au_to_header64(int rec_size
, au_event_t e_type
,
248 token_t
*au_to_me(void);
250 token_t
*au_to_arg(char n
, char *text
, u_int32_t v
);
251 token_t
*au_to_arg32(char n
, char *text
, u_int32_t v
);
252 token_t
*au_to_arg64(char n
, char *text
, u_int64_t v
);
253 token_t
*au_to_attr(struct vnode_attr
*attr
);
254 token_t
*au_to_attr32(struct vnode_attr
*attr
);
255 token_t
*au_to_attr64(struct vnode_attr
*attr
);
256 token_t
*au_to_data(char unit_print
, char unit_type
,
257 char unit_count
, char *p
);
258 token_t
*au_to_exit(int retval
, int err
);
259 token_t
*au_to_groups(int *groups
);
260 token_t
*au_to_newgroups(u_int16_t n
, gid_t
*groups
);
261 token_t
*au_to_in_addr(struct in_addr
*internet_addr
);
262 token_t
*au_to_in_addr_ex(struct in6_addr
*internet_addr
);
263 token_t
*au_to_ip(struct ip
*ip
);
264 token_t
*au_to_ipc(char type
, int id
);
265 token_t
*au_to_ipc_perm(struct ipc_perm
*perm
);
266 token_t
*au_to_iport(u_int16_t iport
);
267 token_t
*au_to_opaque(char *data
, u_int16_t bytes
);
268 token_t
*au_to_path(char *path
);
269 token_t
*au_to_process(au_id_t auid
, uid_t euid
, gid_t egid
,
270 uid_t ruid
, gid_t rgid
, pid_t pid
,
271 au_asid_t sid
, au_tid_t
*tid
);
272 token_t
*au_to_process32(au_id_t auid
, uid_t euid
, gid_t egid
,
273 uid_t ruid
, gid_t rgid
, pid_t pid
,
274 au_asid_t sid
, au_tid_t
*tid
);
275 token_t
*au_to_process64(au_id_t auid
, uid_t euid
, gid_t egid
,
276 uid_t ruid
, gid_t rgid
, pid_t pid
,
277 au_asid_t sid
, au_tid_t
*tid
);
278 token_t
*au_to_process_ex(au_id_t auid
, uid_t euid
,
279 gid_t egid
, uid_t ruid
, gid_t rgid
, pid_t pid
,
280 au_asid_t sid
, au_tid_addr_t
*tid
);
281 token_t
*au_to_process32_ex(au_id_t auid
, uid_t euid
,
282 gid_t egid
, uid_t ruid
, gid_t rgid
, pid_t pid
,
283 au_asid_t sid
, au_tid_addr_t
*tid
);
284 token_t
*au_to_process64_ex(au_id_t auid
, uid_t euid
,
285 gid_t egid
, uid_t ruid
, gid_t rgid
, pid_t pid
,
286 au_asid_t sid
, au_tid_addr_t
*tid
);
287 token_t
*au_to_return(char status
, u_int32_t ret
);
288 token_t
*au_to_return32(char status
, u_int32_t ret
);
289 token_t
*au_to_return64(char status
, u_int64_t ret
);
290 token_t
*au_to_seq(long audit_count
);
291 token_t
*au_to_socket(struct socket
*so
);
292 token_t
*au_to_socket_ex_32(u_int16_t lp
, u_int16_t rp
,
293 struct sockaddr
*la
, struct sockaddr
*ta
);
294 token_t
*au_to_socket_ex_128(u_int16_t lp
, u_int16_t rp
,
295 struct sockaddr
*la
, struct sockaddr
*ta
);
296 token_t
*au_to_sock_inet(struct sockaddr_in
*so
);
297 token_t
*au_to_sock_inet32(struct sockaddr_in
*so
);
298 token_t
*au_to_sock_inet128(struct sockaddr_in6
*so
);
299 token_t
*au_to_sock_unix(struct sockaddr_un
*so
);
300 token_t
*au_to_subject(au_id_t auid
, uid_t euid
, gid_t egid
,
301 uid_t ruid
, gid_t rgid
, pid_t pid
,
302 au_asid_t sid
, au_tid_t
*tid
);
303 token_t
*au_to_subject32(au_id_t auid
, uid_t euid
, gid_t egid
,
304 uid_t ruid
, gid_t rgid
, pid_t pid
,
305 au_asid_t sid
, au_tid_t
*tid
);
306 token_t
*au_to_subject64(au_id_t auid
, uid_t euid
, gid_t egid
,
307 uid_t ruid
, gid_t rgid
, pid_t pid
,
308 au_asid_t sid
, au_tid_t
*tid
);
309 token_t
*au_to_subject_ex(au_id_t auid
, uid_t euid
,
310 gid_t egid
, uid_t ruid
, gid_t rgid
, pid_t pid
,
311 au_asid_t sid
, au_tid_addr_t
*tid
);
312 token_t
*au_to_subject32_ex(au_id_t auid
, uid_t euid
,
313 gid_t egid
, uid_t ruid
, gid_t rgid
, pid_t pid
,
314 au_asid_t sid
, au_tid_addr_t
*tid
);
315 token_t
*au_to_subject64_ex(au_id_t auid
, uid_t euid
,
316 gid_t egid
, uid_t ruid
, gid_t rgid
, pid_t pid
,
317 au_asid_t sid
, au_tid_addr_t
*tid
);
318 token_t
*au_to_exec_args(const char **);
319 token_t
*au_to_exec_env(const char **);
320 token_t
*au_to_text(char *text
);
321 token_t
*au_to_kevent(struct kevent
*kev
);
322 token_t
*au_to_trailer(int rec_size
);
326 #endif /* ! _BSM_AUDIT_RECORD_H_ */
projects / apple / xnu.git / blob