2 * Copyright (c) 2005-2009 Apple Inc.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
15 * its contributors may be used to endorse or promote products derived
16 * from this software without specific prior written permission.
18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
19 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
22 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
25 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 * $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit_record.h#10 $
32 #ifndef _BSM_AUDIT_RECORD_H_
33 #define _BSM_AUDIT_RECORD_H_
35 #include <bsm/audit.h> /* token_t */
36 #include <sys/time.h> /* struct timeval */
39 * Token type identifiers.
41 #define AUT_INVALID 0x00
42 #define AUT_OTHER_FILE32 0x11
43 #define AUT_OHEADER 0x12
44 #define AUT_TRAILER 0x13
45 #define AUT_HEADER32 0x14
46 #define AUT_HEADER32_EX 0x15
50 #define AUT_SUBJECT32 0x24
51 #define AUT_XATPATH 0x25
52 #define AUT_PROCESS32 0x26
53 #define AUT_RETURN32 0x27
55 #define AUT_OPAQUE 0x29
56 #define AUT_IN_ADDR 0x2a
58 #define AUT_IPORT 0x2c
59 #define AUT_ARG32 0x2d
60 #define AUT_SOCKET 0x2e
64 #define AUT_IPC_PERM 0x32
65 #define AUT_LABEL 0x33
66 #define AUT_GROUPS 0x34
69 #define AUT_UPRIV 0x39
70 #define AUT_LIAISON 0x3a
71 #define AUT_NEWGROUPS 0x3b
72 #define AUT_EXEC_ARGS 0x3c
73 #define AUT_EXEC_ENV 0x3d
74 #define AUT_ATTR32 0x3e
75 #define AUT_UNAUTH 0x3f
76 #define AUT_XATOM 0x40
78 #define AUT_XPROTO 0x42
79 #define AUT_XSELECT 0x43
80 #define AUT_XCOLORMAP 0x44
81 #define AUT_XCURSOR 0x45
82 #define AUT_XFONT 0x46
84 #define AUT_XPIXMAP 0x48
85 #define AUT_XPROPERTY 0x49
86 #define AUT_XWINDOW 0x4a
87 #define AUT_XCLIENT 0x4b
90 #define AUT_ZONENAME 0x60
92 #define AUT_ARG64 0x71
93 #define AUT_RETURN64 0x72
94 #define AUT_ATTR64 0x73
95 #define AUT_HEADER64 0x74
96 #define AUT_SUBJECT64 0x75
97 #define AUT_PROCESS64 0x77
98 #define AUT_OTHER_FILE64 0x78
99 #define AUT_HEADER64_EX 0x79
100 #define AUT_SUBJECT32_EX 0x7a
101 #define AUT_PROCESS32_EX 0x7b
102 #define AUT_SUBJECT64_EX 0x7c
103 #define AUT_PROCESS64_EX 0x7d
104 #define AUT_IN_ADDR_EX 0x7e
105 #define AUT_SOCKET_EX 0x7f
108 * Pre-64-bit BSM, 32-bit tokens weren't explicitly named as '32'. We have
109 * compatibility defines.
111 #define AUT_HEADER AUT_HEADER32
112 #define AUT_ARG AUT_ARG32
113 #define AUT_RETURN AUT_RETURN32
114 #define AUT_SUBJECT AUT_SUBJECT32
115 #define AUT_PROCESS AUT_PROCESS32
116 #define AUT_OTHER_FILE AUT_OTHER_FILE32
119 * The values for the following token ids are not defined by BSM.
121 * XXXRW: Not sure how to handle these in OpenBSM yet, but I'll give them
122 * names more consistent with Sun's BSM. These originally came from Apple's
125 #define AUT_SOCKINET32 0x80 /* XXX */
126 #define AUT_SOCKINET128 0x81 /* XXX */
127 #define AUT_SOCKUNIX 0x82 /* XXX */
129 /* Apple specific tokens*/
130 #define AUT_IDENTITY 0xed
131 #define AUT_KRB5_PRINCIPAL 0xee
132 #define AUT_CERT_HASH 0xef
134 /* print values for the arbitrary token */
137 #define AUP_DECIMAL 2
141 /* data-types for the arbitrary token */
143 #define AUR_CHAR AUR_BYTE
146 #define AUR_INT AUR_INT32
149 /* ... and their sizes */
150 #define AUR_BYTE_SIZE sizeof(u_char)
151 #define AUR_CHAR_SIZE AUR_BYTE_SIZE
152 #define AUR_SHORT_SIZE sizeof(uint16_t)
153 #define AUR_INT32_SIZE sizeof(uint32_t)
154 #define AUR_INT_SIZE AUR_INT32_SIZE
155 #define AUR_INT64_SIZE sizeof(uint64_t)
157 /* Modifiers for the header token */
158 #define PAD_NOTATTR 0x4000 /* nonattributable event */
159 #define PAD_FAILURE 0x8000 /* fail audit event */
161 #define AUDIT_MAX_GROUPS 16
164 * A number of BSM versions are floating around and defined. Here are
165 * constants for them. OpenBSM uses the same token types, etc, used in the
166 * Solaris BSM version, but has a separate version number in order to
167 * identify a potentially different event identifier name space.
169 #define AUDIT_HEADER_VERSION_OLDDARWIN 1 /* In retrospect, a mistake. */
170 #define AUDIT_HEADER_VERSION_SOLARIS 2
171 #define AUDIT_HEADER_VERSION_TSOL25 3
172 #define AUDIT_HEADER_VERSION_TSOL 4
173 #define AUDIT_HEADER_VERSION_OPENBSM10 10
174 #define AUDIT_HEADER_VERSION_OPENBSM11 11
175 #define AUDIT_HEADER_VERSION_OPENBSM AUDIT_HEADER_VERSION_OPENBSM11
177 #define AUT_TRAILER_MAGIC 0xb105
179 #if !defined(_KERNEL) && !defined(KERNEL)
180 #include <Availability.h>
181 #define __AUDIT_API_DEPRECATED __API_DEPRECATED("audit is deprecated", macos(10.4, 10.16))
182 #define __AUDIT_API_14_DEPRECATED __API_DEPRECATED("audit is deprecated", macos(10.14, 10.16))
184 #define __AUDIT_API_DEPRECATED
185 #define __AUDIT_API_14_DEPRECATED
188 /* BSM library calls */
201 #if defined(_KERNEL) || defined(KERNEL)
202 struct vnode_au_info
;
206 __AUDIT_API_DEPRECATED
;
207 int au_write(int d
, token_t
*m
)
208 __AUDIT_API_DEPRECATED
;
209 int au_close(int d
, int keep
, short event
)
210 __AUDIT_API_DEPRECATED
;
211 int au_close_buffer(int d
, short event
, u_char
*buffer
, size_t *buflen
)
212 __AUDIT_API_DEPRECATED
;
213 int au_close_token(token_t
*tok
, u_char
*buffer
, size_t *buflen
)
214 __AUDIT_API_DEPRECATED
;
216 token_t
*au_to_file(const char *file
, struct timeval tm
)
217 __AUDIT_API_DEPRECATED
;
219 token_t
*au_to_header32_tm(int rec_size
, au_event_t e_type
, au_emod_t e_mod
,
221 __AUDIT_API_DEPRECATED
;
222 token_t
*au_to_header32_ex_tm(int rec_size
, au_event_t e_type
, au_emod_t e_mod
,
223 struct timeval tm
, struct auditinfo_addr
*aia
)
224 __AUDIT_API_DEPRECATED
;
225 token_t
*au_to_header64_tm(int rec_size
, au_event_t e_type
, au_emod_t e_mod
,
227 __AUDIT_API_DEPRECATED
;
228 #if !defined(KERNEL) && !defined(_KERNEL)
229 token_t
*au_to_header(int rec_size
, au_event_t e_type
, au_emod_t e_mod
)
230 __AUDIT_API_DEPRECATED
;
231 token_t
*au_to_header_ex(int rec_size
, au_event_t e_type
, au_emod_t e_mod
)
232 __AUDIT_API_DEPRECATED
;
233 token_t
*au_to_header32(int rec_size
, au_event_t e_type
, au_emod_t e_mod
)
234 __AUDIT_API_DEPRECATED
;
235 token_t
*au_to_header64(int rec_size
, au_event_t e_type
, au_emod_t e_mod
)
236 __AUDIT_API_DEPRECATED
;
237 token_t
*au_to_header32_ex(int rec_size
, au_event_t e_type
, au_emod_t e_mod
)
238 __AUDIT_API_DEPRECATED
;
241 token_t
*au_to_me(void)
242 __AUDIT_API_DEPRECATED
;
243 token_t
*au_to_arg(char n
, const char *text
, uint32_t v
)
244 __AUDIT_API_DEPRECATED
;
245 token_t
*au_to_arg32(char n
, const char *text
, uint32_t v
)
246 __AUDIT_API_DEPRECATED
;
247 token_t
*au_to_arg64(char n
, const char *text
, uint64_t v
)
248 __AUDIT_API_DEPRECATED
;
250 #if defined(_KERNEL) || defined(KERNEL)
251 token_t
*au_to_attr(struct vnode_au_info
*vni
)
252 __AUDIT_API_DEPRECATED
;
253 token_t
*au_to_attr32(struct vnode_au_info
*vni
)
254 __AUDIT_API_DEPRECATED
;
255 token_t
*au_to_attr64(struct vnode_au_info
*vni
)
256 __AUDIT_API_DEPRECATED
;
259 token_t
*au_to_data(char unit_print
, char unit_type
, char unit_count
,
261 __AUDIT_API_DEPRECATED
;
262 token_t
*au_to_exit(int retval
, int err
)
263 __AUDIT_API_DEPRECATED
;
264 token_t
*au_to_groups(int *groups
)
265 __AUDIT_API_DEPRECATED
;
266 token_t
*au_to_newgroups(uint16_t n
, gid_t
*groups
)
267 __AUDIT_API_DEPRECATED
;
268 token_t
*au_to_in_addr(struct in_addr
*internet_addr
)
269 __AUDIT_API_DEPRECATED
;
270 token_t
*au_to_in_addr_ex(struct in6_addr
*internet_addr
)
271 __AUDIT_API_DEPRECATED
;
272 token_t
*au_to_ip(struct ip
*ip
)
273 __AUDIT_API_DEPRECATED
;
274 token_t
*au_to_ipc(char type
, int id
)
275 __AUDIT_API_DEPRECATED
;
276 token_t
*au_to_ipc_perm(struct ipc_perm
*perm
)
277 __AUDIT_API_DEPRECATED
;
278 token_t
*au_to_iport(uint16_t iport
)
279 __AUDIT_API_DEPRECATED
;
280 token_t
*au_to_opaque(const char *data
, uint16_t bytes
)
281 __AUDIT_API_DEPRECATED
;
282 token_t
*au_to_path(const char *path
)
283 __AUDIT_API_DEPRECATED
;
284 token_t
*au_to_process(au_id_t auid
, uid_t euid
, gid_t egid
, uid_t ruid
,
285 gid_t rgid
, pid_t pid
, au_asid_t sid
, au_tid_t
*tid
)
286 __AUDIT_API_DEPRECATED
;
287 token_t
*au_to_process32(au_id_t auid
, uid_t euid
, gid_t egid
, uid_t ruid
,
288 gid_t rgid
, pid_t pid
, au_asid_t sid
, au_tid_t
*tid
)
289 __AUDIT_API_DEPRECATED
;
290 token_t
*au_to_process64(au_id_t auid
, uid_t euid
, gid_t egid
, uid_t ruid
,
291 gid_t rgid
, pid_t pid
, au_asid_t sid
, au_tid_t
*tid
)
292 __AUDIT_API_DEPRECATED
;
293 token_t
*au_to_process_ex(au_id_t auid
, uid_t euid
, gid_t egid
, uid_t ruid
,
294 gid_t rgid
, pid_t pid
, au_asid_t sid
, au_tid_addr_t
*tid
)
295 __AUDIT_API_DEPRECATED
;
296 token_t
*au_to_process32_ex(au_id_t auid
, uid_t euid
, gid_t egid
,
297 uid_t ruid
, gid_t rgid
, pid_t pid
, au_asid_t sid
,
299 __AUDIT_API_DEPRECATED
;
300 token_t
*au_to_process64_ex(au_id_t auid
, uid_t euid
, gid_t egid
, uid_t ruid
,
301 gid_t rgid
, pid_t pid
, au_asid_t sid
, au_tid_addr_t
*tid
)
302 __AUDIT_API_DEPRECATED
;
303 token_t
*au_to_return(char status
, uint32_t ret
)
304 __AUDIT_API_DEPRECATED
;
305 token_t
*au_to_return32(char status
, uint32_t ret
)
306 __AUDIT_API_DEPRECATED
;
307 token_t
*au_to_return64(char status
, uint64_t ret
)
308 __AUDIT_API_DEPRECATED
;
309 token_t
*au_to_seq(long audit_count
)
310 __AUDIT_API_DEPRECATED
;
311 token_t
*au_to_socket_ex(u_short so_domain
, u_short so_type
,
312 struct sockaddr
*sa_local
, struct sockaddr
*sa_remote
)
313 __AUDIT_API_DEPRECATED
;
314 token_t
*au_to_sock_inet(struct sockaddr_in
*so
)
315 __AUDIT_API_DEPRECATED
;
316 token_t
*au_to_sock_inet32(struct sockaddr_in
*so
)
317 __AUDIT_API_DEPRECATED
;
318 token_t
*au_to_sock_inet128(struct sockaddr_in6
*so
)
319 __AUDIT_API_DEPRECATED
;
320 token_t
*au_to_sock_unix(struct sockaddr_un
*so
)
321 __AUDIT_API_DEPRECATED
;
322 token_t
*au_to_subject(au_id_t auid
, uid_t euid
, gid_t egid
, uid_t ruid
,
323 gid_t rgid
, pid_t pid
, au_asid_t sid
, au_tid_t
*tid
)
324 __AUDIT_API_DEPRECATED
;
325 token_t
*au_to_subject32(au_id_t auid
, uid_t euid
, gid_t egid
, uid_t ruid
,
326 gid_t rgid
, pid_t pid
, au_asid_t sid
, au_tid_t
*tid
)
327 __AUDIT_API_DEPRECATED
;
328 token_t
*au_to_subject64(au_id_t auid
, uid_t euid
, gid_t egid
, uid_t ruid
,
329 gid_t rgid
, pid_t pid
, au_asid_t sid
, au_tid_t
*tid
)
330 __AUDIT_API_DEPRECATED
;
331 token_t
*au_to_subject_ex(au_id_t auid
, uid_t euid
, gid_t egid
, uid_t ruid
,
332 gid_t rgid
, pid_t pid
, au_asid_t sid
, au_tid_addr_t
*tid
)
333 __AUDIT_API_DEPRECATED
;
334 token_t
*au_to_subject32_ex(au_id_t auid
, uid_t euid
, gid_t egid
, uid_t ruid
,
335 gid_t rgid
, pid_t pid
, au_asid_t sid
, au_tid_addr_t
*tid
)
336 __AUDIT_API_DEPRECATED
;
337 token_t
*au_to_subject64_ex(au_id_t auid
, uid_t euid
, gid_t egid
, uid_t ruid
,
338 gid_t rgid
, pid_t pid
, au_asid_t sid
, au_tid_addr_t
*tid
)
339 __AUDIT_API_DEPRECATED
;
340 #if defined(_KERNEL) || defined(KERNEL)
341 token_t
*au_to_exec_args(char *args
, int argc
)
342 __AUDIT_API_DEPRECATED
;
343 token_t
*au_to_exec_env(char *envs
, int envc
)
344 __AUDIT_API_DEPRECATED
;
345 token_t
*au_to_certificate_hash(char *hash
, int hashc
)
346 __AUDIT_API_14_DEPRECATED
;
347 token_t
*au_to_krb5_principal(char *principal
, int princ
)
348 __AUDIT_API_14_DEPRECATED
;
350 token_t
*au_to_exec_args(char **argv
)
351 __AUDIT_API_DEPRECATED
;
352 token_t
*au_to_exec_env(char **envp
)
353 __AUDIT_API_DEPRECATED
;
354 token_t
*au_to_certificate_hash(char **hash
)
355 __AUDIT_API_14_DEPRECATED
;
356 token_t
*au_to_krb5_principal(char **principal
)
357 __AUDIT_API_14_DEPRECATED
;
359 token_t
*au_to_text(const char *text
)
360 __AUDIT_API_DEPRECATED
;
361 token_t
*au_to_kevent(struct kevent
*kev
)
362 __AUDIT_API_DEPRECATED
;
363 token_t
*au_to_trailer(int rec_size
)
364 __AUDIT_API_DEPRECATED
;
365 token_t
*au_to_zonename(const char *zonename
)
366 __AUDIT_API_DEPRECATED
;
367 token_t
*au_to_identity(uint32_t signer_type
, const char* signing_id
,
368 u_char signing_id_trunc
, const char* team_id
, u_char team_id_trunc
,
369 uint8_t* cdhash
, uint16_t cdhash_len
)
370 __AUDIT_API_14_DEPRECATED
;
373 * BSM library routines for converting between local and BSM constant spaces.
375 int au_bsm_to_domain(u_short bsm_domain
, int *local_domainp
)
376 __AUDIT_API_DEPRECATED
;
377 int au_bsm_to_errno(u_char bsm_error
, int *errorp
)
378 __AUDIT_API_DEPRECATED
;
379 int au_bsm_to_fcntl_cmd(u_short bsm_fcntl_cmd
, int *local_fcntl_cmdp
)
380 __AUDIT_API_DEPRECATED
;
381 int au_bsm_to_socket_type(u_short bsm_socket_type
,
382 int *local_socket_typep
)
383 __AUDIT_API_DEPRECATED
;
384 u_short
au_domain_to_bsm(int local_domain
)
385 __AUDIT_API_DEPRECATED
;
386 u_char
au_errno_to_bsm(int local_errno
)
387 __AUDIT_API_DEPRECATED
;
388 u_short
au_fcntl_cmd_to_bsm(int local_fcntl_command
)
389 __AUDIT_API_DEPRECATED
;
390 u_short
au_socket_type_to_bsm(int local_socket_type
)
391 __AUDIT_API_DEPRECATED
;
395 #endif /* ! _BSM_AUDIT_RECORD_H_ */
projects / apple / xnu.git / blob