]> git.saurik.com Git - apple/xnu.git/blob - bsd/sys/kern_audit.h
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-517.12.7.tar.gz
[apple/xnu.git] / bsd / sys / kern_audit.h
1 /*
2 * Copyright (c) 2003 Apple Computer, Inc. All rights reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * The contents of this file constitute Original Code as defined in and
7 * are subject to the Apple Public Source License Version 1.1 (the
8 * "License"). You may not use this file except in compliance with the
9 * License. Please obtain a copy of the License at
10 * http://www.apple.com/publicsource and read it before using this file.
11 *
12 * This Original Code and all software distributed under the License are
13 * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
14 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
15 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
16 * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
17 * License for the specific language governing rights and limitations
18 * under the License.
19 *
20 * @APPLE_LICENSE_HEADER_END@
21 */
22
23 #ifndef _SYS_KERN_AUDIT_H
24 #define _SYS_KERN_AUDIT_H
25
26 #ifdef KERNEL
27
28 /*
29 * Audit subsystem condition flags. The audit_enabled flag is set and
30 * removed automatically as a result of configuring log files, and
31 * can be observed but should not be directly manipulated. The audit
32 * suspension flag permits audit to be temporarily disabled without
33 * reconfiguring the audit target.
34 */
35 extern int audit_enabled;
36 extern int audit_suspended;
37
38 #define BSM_SUCCESS 0
39 #define BSM_FAILURE 1
40 #define BSM_NOAUDIT 2
41
42 /*
43 * Define the masks for the audited arguments.
44 */
45 #define ARG_EUID 0x0000000000000001ULL
46 #define ARG_RUID 0x0000000000000002ULL
47 #define ARG_SUID 0x0000000000000004ULL
48 #define ARG_EGID 0x0000000000000008ULL
49 #define ARG_RGID 0x0000000000000010ULL
50 #define ARG_SGID 0x0000000000000020ULL
51 #define ARG_PID 0x0000000000000040ULL
52 #define ARG_UID 0x0000000000000080ULL
53 #define ARG_AUID 0x0000000000000100ULL
54 #define ARG_GID 0x0000000000000200ULL
55 #define ARG_FD 0x0000000000000400ULL
56 #define UNUSED 0x0000000000000800ULL
57 #define ARG_FFLAGS 0x0000000000001000ULL
58 #define ARG_MODE 0x0000000000002000ULL
59 #define ARG_DEV 0x0000000000004000ULL
60 #define ARG_ACCMODE 0x0000000000008000ULL
61 #define ARG_CMODE 0x0000000000010000ULL
62 #define ARG_MASK 0x0000000000020000ULL
63 #define ARG_SIGNUM 0x0000000000040000ULL
64 #define ARG_LOGIN 0x0000000000080000ULL
65 #define ARG_SADDRINET 0x0000000000100000ULL
66 #define ARG_SADDRINET6 0x0000000000200000ULL
67 #define ARG_SADDRUNIX 0x0000000000400000ULL
68 #define ARG_KPATH1 0x0000000000800000ULL
69 #define ARG_KPATH2 0x0000000001000000ULL
70 #define ARG_UPATH1 0x0000000002000000ULL
71 #define ARG_UPATH2 0x0000000004000000ULL
72 #define ARG_TEXT 0x0000000008000000ULL
73 #define ARG_VNODE1 0x0000000010000000ULL
74 #define ARG_VNODE2 0x0000000020000000ULL
75 #define ARG_SVIPC_CMD 0x0000000040000000ULL
76 #define ARG_SVIPC_PERM 0x0000000080000000ULL
77 #define ARG_SVIPC_ID 0x0000000100000000ULL
78 #define ARG_SVIPC_ADDR 0x0000000200000000ULL
79 #define ARG_GROUPSET 0x0000000400000000ULL
80 #define ARG_CMD 0x0000000800000000ULL
81 #define ARG_SOCKINFO 0x0000001000000000ULL
82 #define ARG_NONE 0x0000000000000000ULL
83 #define ARG_ALL 0xFFFFFFFFFFFFFFFFULL
84
85 struct vnode_au_info {
86 mode_t vn_mode;
87 uid_t vn_uid;
88 gid_t vn_gid;
89 dev_t vn_dev;
90 long vn_fsid;
91 long vn_fileid;
92 long vn_gen;
93 };
94
95 struct groupset {
96 gid_t gidset[NGROUPS];
97 u_int gidset_size;
98 };
99
100 struct socket_info {
101 int sodomain;
102 int sotype;
103 int soprotocol;
104 };
105
106 struct audit_record {
107 /* Audit record header. */
108 u_int32_t ar_magic;
109 int ar_event;
110 int ar_retval; /* value returned to the process */
111 int ar_errno; /* return status of system call */
112 struct timespec ar_starttime;
113 struct timespec ar_endtime;
114 u_int64_t ar_valid_arg; /* Bitmask of valid arguments */
115
116 /* Audit subject information. */
117 struct xucred ar_subj_cred;
118 uid_t ar_subj_ruid;
119 gid_t ar_subj_rgid;
120 gid_t ar_subj_egid;
121 uid_t ar_subj_auid; /* Audit user ID */
122 pid_t ar_subj_asid; /* Audit session ID */
123 pid_t ar_subj_pid;
124 struct au_tid ar_subj_term;
125 char ar_subj_comm[MAXCOMLEN + 1];
126 struct au_mask ar_subj_amask;
127
128 /* Operation arguments. */
129 uid_t ar_arg_euid;
130 uid_t ar_arg_ruid;
131 uid_t ar_arg_suid;
132 gid_t ar_arg_egid;
133 gid_t ar_arg_rgid;
134 gid_t ar_arg_sgid;
135 pid_t ar_arg_pid;
136 uid_t ar_arg_uid;
137 uid_t ar_arg_auid;
138 gid_t ar_arg_gid;
139 struct groupset ar_arg_groups;
140 int ar_arg_fd;
141 int ar_arg_fflags;
142 mode_t ar_arg_mode;
143 int ar_arg_dev;
144 int ar_arg_accmode;
145 int ar_arg_cmode;
146 int ar_arg_mask;
147 u_int ar_arg_signum;
148 char ar_arg_login[MAXLOGNAME];
149 struct sockaddr ar_arg_sockaddr;
150 struct socket_info ar_arg_sockinfo;
151 char *ar_arg_upath1;
152 char *ar_arg_upath2;
153 char *ar_arg_kpath1;
154 char *ar_arg_kpath2;
155 char *ar_arg_text;
156 struct au_mask ar_arg_amask;
157 struct vnode_au_info ar_arg_vnode1;
158 struct vnode_au_info ar_arg_vnode2;
159 int ar_arg_cmd;
160 int ar_arg_svipc_cmd;
161 struct ipc_perm ar_arg_svipc_perm;
162 int ar_arg_svipc_id;
163 void * ar_arg_svipc_addr;
164 };
165
166 /*
167 * In-kernel version of audit record; the basic record plus queue meta-data.
168 * This record can also have a pointer set to some opaque data that will
169 * be passed through to the audit writing mechanism.
170 */
171 struct kaudit_record {
172 struct audit_record k_ar;
173 caddr_t k_udata; /* user data */
174 u_int k_ulen; /* user data length */
175 struct uthread *k_uthread; /* thread we are auditing */
176 TAILQ_ENTRY(kaudit_record) k_q;
177 };
178
179 struct proc;
180 struct vnode;
181 struct componentname;
182
183 void audit_abort(struct kaudit_record *ar);
184 void audit_commit(struct kaudit_record *ar, int error,
185 int retval);
186 void audit_init(void);
187 void audit_shutdown(void);
188
189 struct kaudit_record *audit_new(int event, struct proc *p,
190 struct uthread *uthread);
191
192 void audit_syscall_enter(unsigned short code, struct proc *proc, struct uthread *uthread);
193 void audit_syscall_exit(int error, struct proc *proc,
194 struct uthread *uthread);
195
196 int kaudit_to_bsm(struct kaudit_record *kar,
197 struct au_record **pau);
198
199 int bsm_rec_verify(caddr_t rec);
200
201 /*
202 * Kernel versions of the BSM audit record functions.
203 */
204 struct au_record *kau_open(void);
205 int kau_write(struct au_record *rec, token_t *m);
206 int kau_close(struct au_record *rec,
207 struct timespec *endtime, short event);
208 void kau_free(struct au_record *rec);
209 void kau_init(void);
210 token_t *kau_to_file(char *file, struct timeval *tv);
211 token_t *kau_to_header(struct timespec *ctime, int rec_size,
212 au_event_t e_type, au_emod_t e_mod);
213 token_t *kau_to_header32(struct timespec *ctime, int rec_size,
214 au_event_t e_type, au_emod_t e_mod);
215 token_t *kau_to_header64(struct timespec *ctime, int rec_size,
216 au_event_t e_type, au_emod_t e_mod);
217 /*
218 * The remaining kernel functions are conditionally compiled in as they
219 * are wrapped by a macro, and the macro should be the only place in
220 * the source tree where these functions are referenced.
221 */
222 #ifdef AUDIT
223 void audit_arg_accmode(int mode);
224 void audit_arg_cmode(int cmode);
225 void audit_arg_fd(int fd);
226 void audit_arg_fflags(int fflags);
227 void audit_arg_gid(gid_t gid, gid_t egid, gid_t rgid,
228 gid_t sgid);
229 void audit_arg_uid(uid_t uid, uid_t euid, uid_t ruid,
230 uid_t suid);
231 void audit_arg_groupset(gid_t *gidset, u_int gidset_size);
232 void audit_arg_login(char[MAXLOGNAME]);
233 void audit_arg_mask(int mask);
234 void audit_arg_mode(mode_t mode);
235 void audit_arg_dev(int dev);
236 void audit_arg_owner(uid_t uid, gid_t gid);
237 void audit_arg_pid(pid_t pid);
238 void audit_arg_signum(u_int signum);
239 void audit_arg_socket(int sodomain, int sotype,
240 int soprotocol);
241 void audit_arg_sockaddr(struct proc *p,
242 struct sockaddr *so);
243 void audit_arg_auid(uid_t auid);
244 void audit_arg_upath(struct proc *p, char *upath,
245 u_int64_t flags);
246 void audit_arg_vnpath(struct vnode *vp, u_int64_t flags);
247 void audit_arg_text(char *text);
248 void audit_arg_cmd(int cmd);
249 void audit_arg_svipc_cmd(int cmd);
250 void audit_arg_svipc_perm(struct ipc_perm *perm);
251 void audit_arg_svipc_id(int id);
252 void audit_arg_svipc_addr(void *addr);
253
254 void audit_proc_init(struct proc *p);
255 void audit_proc_fork(struct proc *parent,
256 struct proc *child);
257 void audit_proc_free(struct proc *p);
258
259 /*
260 * Define a macro to wrap the audit_arg_* calls by checking the global
261 * audit_enabled flag before performing the actual call.
262 */
263 #define AUDIT_ARG(op, args...) do { \
264 if (audit_enabled) \
265 audit_arg_ ## op (args); \
266 } while (0)
267
268 #define AUDIT_CMD(audit_cmd) do { \
269 if (audit_enabled) { \
270 audit_cmd; \
271 } \
272 } while (0)
273
274 #else /* !AUDIT */
275 #define AUDIT_ARG(op, args...) do { \
276 } while (0)
277
278 #define AUDIT_CMD(audit_cmd) do { \
279 } while (0)
280
281 #endif /* AUDIT */
282
283 #endif /* KERNEL */
284
285 #endif /* !_SYS_KERN_AUDIT_H */
mirror of XNU